npm - @pagopa/io-react-native-wallet - Versions diffs - 1.7.0 → 2.0.0-next.0 - Mend

@pagopa/io-react-native-wallet 1.7.0 → 2.0.0-next.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (438) hide show

package/src/credential/presentation/07-evaluate-dcql-query.ts CHANGED Viewed

@@ -1,17 +1,10 @@
-import {
-  DcqlQuery,
-  DcqlError,
-  DcqlCredentialSetError,
-  DcqlQueryResult,
-  DcqlCredential,
-} from "dcql";
+import { DcqlQuery, DcqlError, DcqlQueryResult } from "dcql";
 import { isValiError } from "valibot";
-import { decode } from "../../sd-jwt";
+import { decode, prepareVpToken } from "../../sd-jwt";
 import type { Disclosure } from "../../sd-jwt/types";
-import { ValidationFailed } from "../../utils/errors";
-import { CredentialNotFoundError } from "./errors";
-import type { CredentialFormat, EvaluatedDisclosure } from "./types";
-import { CBOR } from "@pagopa/io-react-native-cbor";
+import { createCryptoContextFor } from "../../utils/crypto";
+import type { RemotePresentation } from "./types";
+import { CredentialsNotFoundError, type NotFoundDetail } from "./errors";
 /**
  * The purpose for the credential request by the RP.
@@ -22,97 +15,62 @@ type CredentialPurpose = {
 };
 export type EvaluateDcqlQuery = (
-  query: DcqlQuery.Input,
-  credentialsSdJwt: [
-    string /* type */,
-    string /* keyTag */,
-    string /* credential */,
-  ][],
-  credentialsMdoc: [
-    string /* type */,
-    string /* keyTag */,
-    string /* credential */,
-  ][]
-) => Promise<
-  ({
+  credentialsSdJwt: [string /* keyTag */, string /* credential */][],
+  query: DcqlQuery.Input
+) => {
+  id: string;
+  vct: string;
+  credential: string;
+  keyTag: string;
+  requiredDisclosures: Disclosure[];
+  purposes: CredentialPurpose[];
+}[];
+export type PrepareRemotePresentations = (
+  credentials: {
     id: string;
     credential: string;
     keyTag: string;
-    requiredDisclosures: EvaluatedDisclosure[];
-    purposes: CredentialPurpose[];
-  } & CredentialFormat)[]
->;
+    requestedClaims: string[];
+  }[],
+  nonce: string,
+  clientId: string
+) => Promise<RemotePresentation[]>;
 type DcqlMatchSuccess = Extract<
   DcqlQueryResult.CredentialMatch,
   { success: true }
 >;
-/**
- * Convert a credential in SD-JWT format to an object with claims
- * for correct parsing by the `dcql` library.
- */
-const mapCredentialSdJwtToObj = (credentials: [string, string, string][]) =>
-  credentials.map(([, , jwt]) => {
-    const { sdJwt, disclosures } = decode(jwt);
-    const credentialFormat = sdJwt.header.typ;
-    return {
-      vct: sdJwt.payload.vct,
-      credential_format: credentialFormat,
-      claims: disclosures.reduce(
-        (acc, disclosure) => ({
-          ...acc,
-          [disclosure.decoded[1]]: disclosure.decoded,
-        }),
-        {} as Record<string, Disclosure>
-      ),
-    } as DcqlCredential;
-  });
+type DcqlMatchFailure = Extract<
+  DcqlQueryResult.CredentialMatch,
+  { success: false }
+>;
 /**
- * Convert a credential in Mdoc format to an object with claims
+ * Convert a credential in JWT format to an object with claims
  * for correct parsing by the `dcql` library.
  */
-const mapCredentialsMdocToObj = async (
-  credentialsMdoc: [string, string, string][]
-) => {
-  return await Promise.all(
-    credentialsMdoc?.map(async ([type, _, credential]) => {
-      const issuerSigned = credential
-        ? await CBOR.decodeIssuerSigned(credential)
-        : undefined;
-      if (!issuerSigned) {
-        throw new CredentialNotFoundError(
-          "mso_mdoc credential is not present."
-        );
-      }
+const mapCredentialToObject = (jwt: string) => {
+  const { sdJwt, disclosures } = decode(jwt);
+  const credentialFormat = sdJwt.header.typ;
-      const namespaces = Object.entries(issuerSigned.nameSpaces).reduce(
-        (acc, [ns, nsClaims]) => {
-          const flattenNsClaims = Object.entries(nsClaims).reduce(
-            (ac, [, el]) => ({
-              ...ac,
-              [el.elementIdentifier]: el.elementValue,
-            }),
-            {} as Record<string, unknown>
-          );
-          return {
-            ...acc,
-            [ns]: flattenNsClaims,
-          };
-        },
-        {} as Record<string, unknown>
-      );
+  // TODO [SIW-2082]: support MDOC credentials
+  if (credentialFormat !== "vc+sd-jwt") {
+    throw new Error(`Unsupported credential format: ${credentialFormat}`);
+  }
-      return {
-        credential_format: "mso_mdoc",
-        doctype: type,
-        namespaces,
-      } as DcqlCredential;
-    })
-  );
+  return {
+    vct: sdJwt.payload.vct,
+    credential_format: credentialFormat,
+    claims: disclosures.reduce(
+      (acc, disclosure) => ({
+        ...acc,
+        [disclosure.decoded[1]]: disclosure.decoded,
+      }),
+      {} as Record<string, Disclosure>
+    ),
+  };
 };
 /**
@@ -123,14 +81,39 @@ const getDcqlQueryMatches = (result: DcqlQueryResult) =>
     ([, match]) => match.success === true
   ) as [string, DcqlMatchSuccess][];
-export const evaluateDcqlQuery: EvaluateDcqlQuery = async (
-  query,
+/**
+ * Extract only failed matches from the DCQL query result.
+ */
+const getDcqlQueryFailedMatches = (result: DcqlQueryResult) =>
+  Object.entries(result.credential_matches).filter(
+    ([, match]) => match.success === false
+  ) as [string, DcqlMatchFailure][];
+/**
+ * Extract missing credentials from the DCQL query result.
+ * Note: here we are assuming a failed match is a missing credential,
+ * but there might be other reasons for its failure.
+ */
+const extractMissingCredentials = (
+  queryResult: DcqlQueryResult,
+  originalQuery: DcqlQuery
+): NotFoundDetail[] => {
+  return getDcqlQueryFailedMatches(queryResult).map(([id]) => {
+    const credential = originalQuery.credentials.find((c) => c.id === id);
+    if (credential?.format !== "vc+sd-jwt") {
+      throw new Error("Unsupported format"); // TODO [SIW-2082]: support MDOC credentials
+    }
+    return { id, vctValues: credential.meta?.vct_values };
+  });
+};
+export const evaluateDcqlQuery: EvaluateDcqlQuery = (
   credentialsSdJwt,
-  credentialsMdoc
+  query
 ) => {
-  const credentials = [] as DcqlCredential[];
-  credentials.push(...mapCredentialSdJwtToObj(credentialsSdJwt));
-  credentials.push(...(await mapCredentialsMdocToObj(credentialsMdoc)));
+  const credentials = credentialsSdJwt.map(([, credential]) =>
+    mapCredentialToObject(credential)
+  );
   try {
     // Validate the query
@@ -140,10 +123,23 @@ export const evaluateDcqlQuery: EvaluateDcqlQuery = async (
     const queryResult = DcqlQuery.query(parsedQuery, credentials);
     if (!queryResult.canBeSatisfied) {
-      throw new Error("No credential can satisfy the provided DCQL query");
+      throw new CredentialsNotFoundError(
+        extractMissingCredentials(queryResult, parsedQuery)
+      );
     }
+    // Build an object vct:credentialJwt to map matched credentials to their JWT
+    const credentialsSdJwtByVct = credentials.reduce(
+      (acc, c, i) => ({ ...acc, [c.vct]: credentialsSdJwt[i]! }),
+      {} as Record<string, [string /* keyTag */, string /* credential */]>
+    );
     return getDcqlQueryMatches(queryResult).map(([id, match]) => {
+      if (match.output.credential_format !== "vc+sd-jwt") {
+        throw new Error("Unsupported format"); // TODO [SIW-2082]: support MDOC credentials
+      }
+      const { vct, claims } = match.output;
       const purposes = queryResult.credential_sets
         ?.filter((set) => set.matching_options?.flat().includes(id))
         ?.map<CredentialPurpose>((credentialSet) => ({
@@ -151,78 +147,53 @@ export const evaluateDcqlQuery: EvaluateDcqlQuery = async (
           required: Boolean(credentialSet.required),
         }));
-      if (match.output.credential_format === "vc+sd-jwt") {
-        const { vct, claims } = match.output;
-        const [, keyTag, credential] = credentialsSdJwt.find(
-          ([type]) => type === vct
-        )!;
-        const requiredDisclosures = Object.values(
-          claims
-        ) as EvaluatedDisclosure[];
-        return {
-          id,
-          vct,
-          keyTag,
-          format: match.output.credential_format,
-          credential,
-          requiredDisclosures,
-          // When it is a match but no credential_sets are found, the credential is required by default
-          // See https://openid.net/specs/openid-4-verifiable-presentations-1_0-24.html#section-6.3.1.2-2.1
-          purposes: purposes ?? [{ required: true }],
-        };
-      }
-      if (match.output.credential_format === "mso_mdoc") {
-        const { doctype, namespaces } = match.output;
-        const [, keyTag, credential] = credentialsMdoc.find(
-          ([type]) => type === doctype
-        )!;
-        const requiredDisclosures = Object.entries(namespaces).reduce(
-          (acc, [ns, nsClaims]) => [
-            ...acc,
-            ...Object.entries(nsClaims).map(([claimName]) => ({
-              namespace: ns,
-              name: claimName,
-              value: nsClaims[claimName],
-            })),
-          ],
-          [] as EvaluatedDisclosure[]
-        );
-        return {
-          id,
-          keyTag,
-          format: match.output.credential_format,
-          credential,
-          requiredDisclosures,
-          // When it is a match but no credential_sets are found, the credential is required by default
-          // See https://openid.net/specs/openid-4-verifiable-presentations-1_0-24.html#section-6.3.1.2-2.1
-          purposes: purposes ?? [{ required: true }],
-          doctype,
-        };
-      }
-      throw new Error(
-        `Unsupported credential format: ${match.output.credential_format}`
-      );
+      const [keyTag, credential] = credentialsSdJwtByVct[vct]!;
+      const requiredDisclosures = Object.values(claims) as Disclosure[];
+      return {
+        id,
+        vct,
+        keyTag,
+        credential,
+        requiredDisclosures,
+        // When it is a match but no credential_sets are found, the credential is required by default
+        // See https://openid.net/specs/openid-4-verifiable-presentations-1_0-24.html#section-6.3.1.2-2.1
+        purposes: purposes ?? [{ required: true }],
+      };
     });
   } catch (error) {
-    // Invalid DCQL query structure
+    // Invalid DCQL query structure. Remap to `DcqlError` for consistency.
     if (isValiError(error)) {
-      throw new ValidationFailed({
-        message: "Invalid DCQL query",
-        reason: error.issues.map((issue) => issue.message).join(", "),
+      throw new DcqlError({
+        message: "Failed to parse the provided DCQL query",
+        code: "PARSE_ERROR",
+        cause: error.issues,
       });
     }
-    if (error instanceof DcqlError) {
-      // TODO [SIW-2110]: handle invalid DQCL query or let the error propagate
-    }
-    if (error instanceof DcqlCredentialSetError) {
-      // TODO [SIW-2110]: handle missing credentials or let the error propagate
-    }
+    // Let other errors propagate so they can be caught with `err instanceof DcqlError`
     throw error;
   }
 };
+export const prepareRemotePresentations: PrepareRemotePresentations = async (
+  credentials,
+  nonce,
+  clientId
+) => {
+  return Promise.all(
+    credentials.map(async (item) => {
+      const { vp_token } = await prepareVpToken(nonce, clientId, [
+        item.credential,
+        item.requestedClaims,
+        createCryptoContextFor(item.keyTag),
+      ]);
+      return {
+        credentialId: item.id,
+        requestedClaims: item.requestedClaims,
+        vpToken: vp_token,
+        format: "vc+sd-jwt",
+      };
+    })
+  );
+};