@pagopa/io-react-native-wallet 0.13.1 → 0.15.0

package/src/credential/issuance/04-complete-user-authorization.ts

@@ -4,12 +4,26 @@ import {
   type AuthorizationContext,
   type AuthorizationResult,
 } from "../../utils/auth";
-import { until, type Out } from "../../utils/misc";
+import { hasStatus, until, type Out } from "../../utils/misc";
 import type { StartUserAuthorization } from "./03-start-user-authorization";
 import parseUrl from "parse-url";
-import { AuthorizationError, AuthorizationIdpError } from "../../utils/errors";
+import {
+  AuthorizationError,
+  AuthorizationIdpError,
+  ValidationFailed,
+} from "../../utils/errors";
 import type { EvaluateIssuerTrust } from "./02-evaluate-issuer-trust";
 import { Linking } from "react-native";
+import {
+  decode,
+  encodeBase64,
+  SignJWT,
+  type CryptoContext,
+} from "@pagopa/io-react-native-jwt";
+import { RequestObject } from "../presentation/types";
+import uuid from "react-native-uuid";
+import { ResponseUriResultShape } from "./types";
+import { getJwtFromFormPost } from "../../../src/utils/decoder";
 
 /**
  * The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
@@ -23,6 +37,24 @@ export type CompleteUserAuthorizationWithQueryMode = (
   authorizationContext?: AuthorizationContext
 ) => Promise<AuthorizationResult>;
 
+export type CompleteUserAuthorizationWithFormPostJwtMode = (
+  requestObject: Out<GetRequestedCredentialToBePresented>,
+  context: {
+    wiaCryptoContext: CryptoContext;
+    pidCryptoContext: CryptoContext;
+    pid: string;
+    walletInstanceAttestation: string;
+    appFetch?: GlobalFetch["fetch"];
+  }
+) => Promise<AuthorizationResult>;
+
+export type GetRequestedCredentialToBePresented = (
+  issuerRequestUri: Out<StartUserAuthorization>["issuerRequestUri"],
+  clientId: Out<StartUserAuthorization>["clientId"],
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  appFetch?: GlobalFetch["fetch"]
+) => Promise<RequestObject>;
+
 /**
  * WARNING: This function must be called after {@link startUserAuthorization}. The next function to be called is {@link authorizeAccess}.
  * The interface of the phase to complete User authorization via strong identification when the response mode is "query" and the request credential is a PersonIdentificationData.
@@ -49,11 +81,6 @@ export const completeUserAuthorizationWithQueryMode: CompleteUserAuthorizationWi
     redirectUri,
     authorizationContext
   ) => {
-    /**
-     * Starts the authorization flow which dependes on the response mode and the request credential.
-     * If the response mode is "query" the authorization flow is handled differently via the authorization context which opens an in-app browser capable of catching the redirectSchema.
-     * The form_post.jwt mode is not currently supported.
-     */
     const authzRequestEndpoint =
       issuerConf.oauth_authorization_server.authorization_endpoint;
     const params = new URLSearchParams({
@@ -97,22 +124,190 @@ export const completeUserAuthorizationWithQueryMode: CompleteUserAuthorizationWi
       }
     }
 
-    const urlParse = parseUrl(authRedirectUrl);
-    const authRes = AuthorizationResultShape.safeParse(urlParse.query);
-    if (!authRes.success) {
-      const authErr = AuthorizationErrorShape.safeParse(urlParse.query);
-      if (!authErr.success) {
-        throw new AuthorizationError(authRes.error.message); // an error occured while parsing the result and the error
-      }
-      throw new AuthorizationIdpError(
-        authErr.data.error,
-        authErr.data.error_description
+    const query = parseUrl(authRedirectUrl).query;
+    return parseAuthroizationResponse(query);
+  };
+
+/**
+ * WARNING: This function must be called after {@link startUserAuthorization}. The next function to be called is {@link completeUserAuthorizationWithFormPostJwtMode}.
+ * The interface of the phase to complete User authorization via presentation of existing credentials when the response mode is "form_post.jwt".
+ * It is used as a first step to complete the user authorization by obtaining the requested credential to be presented from the authorization server.
+ * The information is obtained by performing a GET request to the authorization endpoint with request_uri and client_id parameters.
+ * @param issuerRequestUri the URI of the issuer where the request is sent
+ * @param clientId Identifies the current client across all the requests of the issuing flow returned by {@link startUserAuthorization}
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @throws {ValidationFailed} if an error while validating the response
+ * @returns the request object which contains the credential to be presented in order to obtain the requested credential
+ */
+export const getRequestedCredentialToBePresented: GetRequestedCredentialToBePresented =
+  async (issuerRequestUri, clientId, issuerConf, appFetch = fetch) => {
+    const authzRequestEndpoint =
+      issuerConf.oauth_authorization_server.authorization_endpoint;
+    const params = new URLSearchParams({
+      client_id: clientId,
+      request_uri: issuerRequestUri,
+    });
+
+    const requestObject = await appFetch(
+      `${authzRequestEndpoint}?${params.toString()}`,
+      { method: "GET" }
+    )
+      .then(hasStatus(200))
+      .then((res) => res.text())
+      .then((jws) => decode(jws))
+      .then((reqObj) => RequestObject.safeParse(reqObj.payload));
+
+    if (!requestObject.success) {
+      throw new ValidationFailed(
+        "Request Object validation failed",
+        requestObject.error.message
       );
     }
-    return authRes.data;
+    return requestObject.data;
   };
 
-// TODO: SIW-1120 implement generic credential issuance flow
-export const completeUserAuthorizationWithFormPostJwtMode = () => {
-  throw new Error("Not implemented");
+/**
+ * WARNING: This function must be called after {@link startUserAuthorization}. The next function to be called is {@link completeUserAuthorizationWithFormPostJwtMode}.
+ * The interface of the phase to complete User authorization via presentation of existing credentials when the response mode is "form_post.jwt".
+ * It is used as a first step to complete the user authorization by obtaining the requested credential to be presented from the authorization server.
+ * The information is obtained by performing a GET request to the authorization endpoint with request_uri and client_id parameters.
+ * @param issuerRequestUri the URI of the issuer where the request is sent
+ * @param clientId Identifies the current client across all the requests of the issuing flow returned by {@link startUserAuthorization}
+ * @param issuerConf The issuer configuration returned by {@link evaluateIssuerTrust}
+ * @param context.walletInstanceAccestation the Wallet Instance's attestation to be presented
+ * @param context.pid the PID to be presented
+ * @param context.wiaCryptoContext The Wallet Instance's crypto context associated with the walletInstanceAttestation parameter
+ * @param context.pidCryptoContext The PID crypto context associated with the pid parameter
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @throws {ValidationFailed} if an error while validating the response
+ * @returns the authorization response which contains code, state and iss
+ */
+export const completeUserAuthorizationWithFormPostJwtMode: CompleteUserAuthorizationWithFormPostJwtMode =
+  async (requestObject, ctx) => {
+    const {
+      wiaCryptoContext,
+      pidCryptoContext,
+      pid,
+      walletInstanceAttestation,
+      appFetch = fetch,
+    } = ctx;
+
+    const wiaWpToken = await new SignJWT(wiaCryptoContext)
+      .setProtectedHeader({
+        alg: "ES256",
+        typ: "JWT",
+      })
+      .setPayload({
+        vp: walletInstanceAttestation,
+        jti: uuid.v4().toString(),
+        nonce: requestObject.nonce,
+      })
+      .setIssuedAt()
+      .setExpirationTime("5m")
+      .setAudience(requestObject.response_uri)
+      .sign();
+
+    const pidWpToken = await new SignJWT(pidCryptoContext)
+      .setProtectedHeader({
+        alg: "ES256",
+        typ: "JWT",
+      })
+      .setPayload({
+        vp: pid,
+        jti: uuid.v4().toString(),
+        nonce: requestObject.nonce,
+      })
+      .setIssuedAt()
+      .setExpirationTime("5m")
+      .setAudience(requestObject.response_uri)
+      .sign();
+
+    /* The path parameter refers to the vp_token variable of the authzResponsePayload and must point to the plain credential which
+     * is cointaned in the `vp` property of the signed jwt token payload
+     */
+    const presentationSubmission = {
+      definition_id: `${uuid.v4()}`,
+      id: `${uuid.v4()}`,
+      descriptor_map: [
+        {
+          id: "PersonIdentificationData",
+          path: "$.vp_token[0].vp",
+          format: "vc+sd-jwt",
+        },
+        {
+          id: "WalletAttestation",
+          path: "$.vp_token[1].vp",
+          format: "jwt",
+        },
+      ],
+    };
+
+    const authzResponsePayload = encodeBase64(
+      JSON.stringify({
+        state: requestObject.state,
+        presentation_submission: presentationSubmission,
+        vp_token: [pidWpToken, wiaWpToken],
+      })
+    );
+
+    // Note: according to the spec, the response should be encrypted with the public key of the RP however this is not implemented yet
+    // https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-signed-and-encrypted-response
+    // const rsaPublicJwk = chooseRSAPublicKeyToEncrypt(rpConf);
+    // const encrypted = await new EncryptJwe(authzResponsePayload, {
+    //   alg: "RSA-OAEP-256",
+    //   enc: "A256CBC-HS512",
+    //   kid: rsaPublicJwk.kid,
+    // }).encrypt(rsaPublicJwk);
+
+    const body = new URLSearchParams({
+      response: authzResponsePayload,
+    }).toString();
+    const resUriRes = await appFetch(requestObject.response_uri, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded",
+      },
+      body,
+    })
+      .then(hasStatus(200))
+      .then((reqUri) => reqUri.json());
+
+    const responseUri = ResponseUriResultShape.safeParse(resUriRes);
+    if (!responseUri.success) {
+      throw new ValidationFailed(
+        "Response Uri validation failed",
+        responseUri.error.message
+      );
+    }
+
+    return await appFetch(responseUri.data.redirect_uri)
+      .then(hasStatus(200))
+      .then((res) => res.text())
+      .then(getJwtFromFormPost)
+      .then((cbRes) => parseAuthroizationResponse(cbRes.decodedJwt.payload));
+  };
+
+/**
+ * Parse the authorization response and return the result which contains code, state and iss.
+ * @throws {AuthorizationError} if an error occurs during the parsing process
+ * @throws {AuthorizationIdpError} if an error occurs during the parsing process and the error is related to the IDP
+ * @param authRes the authorization response to be parsed
+ * @returns the authorization result which contains code, state and iss
+ */
+export const parseAuthroizationResponse = (
+  authRes: unknown
+): AuthorizationResult => {
+  const authResParsed = AuthorizationResultShape.safeParse(authRes);
+  if (!authResParsed.success) {
+    const authErr = AuthorizationErrorShape.safeParse(authRes);
+    if (!authErr.success) {
+      throw new AuthorizationError(authResParsed.error.message); // an error occured while parsing the result and the error
+    }
+    throw new AuthorizationIdpError(
+      authErr.data.error,
+      authErr.data.error_description
+    );
+  }
+  return authResParsed.data;
 };

package/src/credential/issuance/07-verify-and-parse-credential.ts

@@ -13,6 +13,7 @@ export type VerifyAndParseCredential = (
   format: Out<ObtainCredential>["format"],
   context: {
     credentialCryptoContext: CryptoContext;
+    ignoreMissingAttributes?: boolean;
   }
 ) => Promise<{ parsedCredential: ParsedCredential }>;
 
@@ -42,7 +43,8 @@ type DecodedSdJwtCredential = Out<typeof verifySdJwt> & {
 const parseCredentialSdJwt = (
   // the list of supported credentials, as defined in the issuer configuration
   credentials_supported: Out<EvaluateIssuerTrust>["issuerConf"]["openid_credential_issuer"]["credential_configurations_supported"],
-  { sdJwt, disclosures }: DecodedSdJwtCredential
+  { sdJwt, disclosures }: DecodedSdJwtCredential,
+  ignoreMissingAttributes: boolean = false
 ): ParsedCredential => {
   const credentialSubject = credentials_supported[sdJwt.payload.vct];
 
@@ -57,6 +59,9 @@ const parseCredentialSdJwt = (
   }
 
   // transfrom a record { key: value } in an iterable of pairs [key, value]
+  if (!credentialSubject.claims) {
+    throw new IoWalletError("Missing claims in the credential subject"); // TODO [SIW-1268]: should not be optional
+  }
   const attrDefinitions = Object.entries(credentialSubject.claims);
 
   // the key of the attribute defintion must match the disclosure's name
@@ -66,9 +71,11 @@ const parseCredentialSdJwt = (
   if (attrsNotInDisclosures.length > 0) {
     const missing = attrsNotInDisclosures.map((_) => _[0 /* key */]).join(", ");
     const received = disclosures.map((_) => _[1 /* name */]).join(", ");
-    throw new IoWalletError(
-      `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
-    );
+    if (!ignoreMissingAttributes) {
+      throw new IoWalletError(
+        `Some attributes are missing in the credential. Missing: [${missing}], received: [${received}]`
+      );
+    }
   }
 
   // attributes that are defined in the issuer configuration
@@ -169,7 +176,7 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
   issuerConf,
   credential,
   _,
-  { credentialCryptoContext }
+  { credentialCryptoContext, ignoreMissingAttributes }
 ) => {
   const decoded = await verifyCredentialSdJwt(
     credential,
@@ -179,7 +186,8 @@ const verifyAndParseCredentialSdJwt: WithFormat<"vc+sd-jwt"> = async (
 
   const parsedCredential = parseCredentialSdJwt(
     issuerConf.openid_credential_issuer.credential_configurations_supported,
-    decoded
+    decoded,
+    ignoreMissingAttributes
   );
 
   return { parsedCredential };

package/src/credential/issuance/index.ts

@@ -9,7 +9,12 @@ import {
 } from "./03-start-user-authorization";
 import {
   completeUserAuthorizationWithQueryMode,
+  completeUserAuthorizationWithFormPostJwtMode,
+  parseAuthroizationResponse,
   type CompleteUserAuthorizationWithQueryMode,
+  type CompleteUserAuthorizationWithFormPostJwtMode,
+  type GetRequestedCredentialToBePresented,
+  getRequestedCredentialToBePresented,
 } from "./04-complete-user-authorization";
 import { authorizeAccess, type AuthorizeAccess } from "./05-authorize-access";
 import {
@@ -25,15 +30,20 @@ export {
   evaluateIssuerTrust,
   startUserAuthorization,
   completeUserAuthorizationWithQueryMode,
+  getRequestedCredentialToBePresented,
+  completeUserAuthorizationWithFormPostJwtMode,
   authorizeAccess,
   obtainCredential,
   verifyAndParseCredential,
+  parseAuthroizationResponse,
 };
 export type {
   StartFlow,
   EvaluateIssuerTrust,
   StartUserAuthorization,
   CompleteUserAuthorizationWithQueryMode,
+  GetRequestedCredentialToBePresented,
+  CompleteUserAuthorizationWithFormPostJwtMode,
   AuthorizeAccess,
   ObtainCredential,
   VerifyAndParseCredential,

package/src/credential/issuance/types.ts

@@ -22,4 +22,11 @@ export const CredentialResponse = z.object({
   format: SupportedCredentialFormat,
 });
 
+/**
+ * Shape from parsing a response given by a request uri during the EAA credential issuance flow with response mode "form_post.jwt".
+ */
+export const ResponseUriResultShape = z.object({
+  redirect_uri: z.string(),
+});
+
 export type ResponseMode = "query" | "form_post.jwt";

package/src/index.ts

@@ -11,6 +11,7 @@ import * as Errors from "./utils/errors";
 import * as WalletInstanceAttestation from "./wallet-instance-attestation";
 import * as Trust from "./trust";
 import * as WalletInstance from "./wallet-instance";
+import * as Cie from "./cie";
 import { AuthorizationDetail, AuthorizationDetails } from "./utils/par";
 import { createCryptoContextFor } from "./utils/crypto";
 import type { IntegrityContext } from "./utils/integrity";
@@ -27,6 +28,7 @@ export {
   AuthorizationDetail,
   AuthorizationDetails,
   fixBase64EncodingOnKey,
+  Cie,
 };
 
 export type { IntegrityContext, AuthorizationContext };

package/src/trust/types.ts

@@ -37,10 +37,12 @@ type CredentialIssuerDisplayMetadata = z.infer<
 const CredentialIssuerDisplayMetadata = z.object({
   name: z.string(),
   locale: z.string(),
-  logo: z.object({
-    url: z.string(),
-    alt_text: z.string(),
-  }),
+  logo: z
+    .object({
+      url: z.string(),
+      alt_text: z.string(),
+    })
+    .optional(), // TODO [SIW-1268]: should not be optional
 });
 
 type ClaimsMetadata = z.infer<typeof ClaimsMetadata>;
@@ -57,7 +59,7 @@ const SupportedCredentialMetadata = z.object({
   format: z.union([z.literal("vc+sd-jwt"), z.literal("vc+mdoc-cbor")]),
   scope: z.string(),
   display: z.array(CredentialDisplayMetadata),
-  claims: ClaimsMetadata,
+  claims: ClaimsMetadata.optional(), // TODO [SIW-1268]: should not be optional
   cryptographic_binding_methods_supported: z.array(z.string()),
   credential_signing_alg_values_supported: z.array(z.string()),
 });
@@ -180,7 +182,7 @@ export const CredentialIssuerEntityConfiguration = BaseEntityConfiguration.and(
         /** Credential Issuers act as Relying Party
             when they require the presentation of other credentials.
             This does not apply for PID issuance, which requires CIE authz. */
-        openid_relying_party: RelyingPartyMetadata.optional(),
+        wallet_relying_party: RelyingPartyMetadata.optional(),
       }),
     }),
   })

package/src/utils/decoder.ts

@@ -6,34 +6,43 @@ import { ValidationFailed } from "./errors";
  * Decode a form_post.jwt and return the final JWT.
  * The formData here is in form_post.jwt format as defined in
  * JWT Secured Authorization Response Mode for OAuth 2.0 (JARM)
- * HTTP/1.1 200 OK
- *   Content-Type: text/html;charset=UTF-8
- *   Cache-Control: no-cache, no-store
- *   Pragma: no-cache
- *
- *   <html>
- *   <head><title>Submit This Form</title></head>
- *   <body onload="javascript:document.forms[0].submit()">
- *     <form method="post" action="https://client.example.com/cb">
- *       <input type="hidden" name="response"
- *       value="eyJhbGciOiJSUz....."/>
- *       </form>
- *    </body>
- *   </html>
+ <!DOCTYPE html>
+    <html>
+        <head>
+            <meta charset="utf-8" />
+        </head>
+        <body onload="document.forms[0].submit()">
+        <noscript>
+            <p>
+                <strong>Note:</strong> Since your browser does not support JavaScript, you must press the Continue button once to proceed.
+            </p>
+        </noscript>
+            <form action="iowalletexample//cb" method="post">       
+                <div>
+                    <input type="hidden" name="response" value="somevalue" />
+                </div>
+                <noscript>
+                    <div>
+                        <input type="submit" value="Continue" />
+                    </div>
+                </noscript>
+            </form>
+        </body>
+    </html>
  */
 export const getJwtFromFormPost = async (
   formData: string
 ): Promise<{ jwt: string; decodedJwt: JWTDecodeResult }> => {
-  const formPostRegex = /<input(.|\n)*value\s*=\s*"((.|\n)*)"(.|\n)*>/gm;
+  const formPostRegex = /<input[^>]*name="response"[^>]*value="([^"]*)"/i;
   const lineExpressionRegex = /\r\n|\n\r|\n|\r|\s+/g;
 
-  const matches = formPostRegex.exec(formData);
-  if (matches && matches.length >= 2) {
-    const responseJwt = matches[2];
+  const match = formPostRegex.exec(formData);
+  if (match && match[1]) {
+    const responseJwt = match[1];
 
     if (responseJwt) {
       const jwt = responseJwt.replace(lineExpressionRegex, "");
-      const decodedJwt = await decodeJwt(jwt);
+      const decodedJwt = decodeJwt(jwt);
       return { jwt, decodedJwt };
     }
   }