npm - @pagopa/io-react-native-wallet - Versions diffs - 1.7.1 → 2.0.0-next.0 - Mend

@pagopa/io-react-native-wallet 1.7.1 → 2.0.0-next.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (438) hide show

package/lib/module/credential/presentation/03-get-request-object.js CHANGED Viewed

@@ -1,20 +1,47 @@
+import { RelyingPartyResponseError } from "../../utils/errors";
 import { hasStatusOrThrow } from "../../utils/misc";
+import { RequestObjectWalletCapabilities } from "./types";
 /**
- * Obtain the Request Object for RP authentication
+ * Obtain the Request Object for RP authentication. Both the GET and POST `request_uri_method` are supported.
  * @see https://italia.github.io/eudi-wallet-it-docs/versione-corrente/en/relying-party-solution.html
  *
- * @param requestUri The request uri of the Relying Party
+ * @param requestUri The url for the Relying Party to connect with
+ * @param rpConf The Relying Party's configuration * @param context.walletInstanceAttestation The Wallet Instance Attestation token
+ * @param context.walletCapabilities (optional) An object containing the wallet technical capabilities that will be sent with a POST request
  * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
  * @returns The Request Object that describes the presentation
  */
 export const getRequestObject = async function (requestUri) {
-  let context = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
-  const {
-    appFetch = fetch
-  } = context;
+  let {
+    appFetch = fetch,
+    walletCapabilities
+  } = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
+  if (walletCapabilities) {
+    // Validate external input
+    const {
+      wallet_metadata,
+      wallet_nonce
+    } = RequestObjectWalletCapabilities.parse(walletCapabilities);
+    const formUrlEncodedBody = new URLSearchParams({
+      wallet_metadata: JSON.stringify(wallet_metadata),
+      ...(wallet_nonce && {
+        wallet_nonce
+      })
+    });
+    const requestObjectEncodedJwt = await appFetch(requestUri, {
+      method: "POST",
+      headers: {
+        "Content-Type": "application/x-www-form-urlencoded"
+      },
+      body: formUrlEncodedBody.toString()
+    }).then(hasStatusOrThrow(200, RelyingPartyResponseError)).then(res => res.text());
+    return {
+      requestObjectEncodedJwt
+    };
+  }
   const requestObjectEncodedJwt = await appFetch(requestUri, {
     method: "GET"
-  }).then(hasStatusOrThrow(200)).then(res => res.text());
+  }).then(hasStatusOrThrow(200, RelyingPartyResponseError)).then(res => res.text());
   return {
     requestObjectEncodedJwt
   };

package/lib/module/credential/presentation/03-get-request-object.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["hasStatusOrThrow","getRequestObject","requestUri","~~context~~","arguments","length","undefined","~~appFetch~~","~~fetch~~","requestObjectEncodedJwt","method","then","res","text"],"sourceRoot":"../../../../src","sources":["credential/presentation/03-get-request-object.ts"],"mappings":"AAAA,SAASA,gBAAgB,~~QAAkB~~,kBAAkB;~~AAU7D~~;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,gBAAkC,GAAG,eAAAA,CAChDC,UAAU,EAEP;EAAA,~~IADHC~~,~~OAAO~~,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;~~EAEZ~~,MAAM;~~IAAEG~~,QAAQ,~~GAAGC~~;~~EAAM~~,CAAC,~~GAAGL~~,OAAO;~~EACpC~~,~~MAAMM~~,uBAAuB,GAAG,~~MAAMF~~,QAAQ,~~CAACL~~,UAAU,EAAE;~~IACzDQ~~,MAAM,EAAE;EACV,CAAC,CAAC,~~CACCC~~,IAAI,~~CAACX~~,gBAAgB,CAAC,GAAG,CAAC,CAAC,~~CAC3BW~~,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;EAE5B,OAAO;~~IACLJ~~;EACF,CAAC;AACH,CAAC"}
1	+ {"version":3,"names":["RelyingPartyResponseError","hasStatusOrThrow","RequestObjectWalletCapabilities","getRequestObject","requestUri","appFetch","fetch","walletCapabilities","arguments","length","undefined","wallet_metadata","wallet_nonce","parse","formUrlEncodedBody","URLSearchParams","JSON","stringify","requestObjectEncodedJwt","method","headers","body","toString","then","res","text"],"sourceRoot":"../../../../src","sources":["credential/presentation/03-get-request-object.ts"],"mappings":"AAAA,SAASA,yBAAyB,QAAQ,oBAAoB;AAC9D,SAASC,gBAAgB,QAAQ,kBAAkB;AACnD,SAASC,+BAA+B,QAAQ,SAAS;AAUzD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,gBAAkC,GAAG,eAAAA,CAChDC,UAAU,EAEP;EAAA,IADH;IAAEC,QAAQ,GAAGC,KAAK;IAAEC;EAAmB,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAE7C,IAAID,kBAAkB,EAAE;IACtB;IACA,MAAM;MAAEI,eAAe;MAAEC;IAAa,CAAC,GACrCV,+BAA+B,CAACW,KAAK,CAACN,kBAAkB,CAAC;IAE3D,MAAMO,kBAAkB,GAAG,IAAIC,eAAe,CAAC;MAC7CJ,eAAe,EAAEK,IAAI,CAACC,SAAS,CAACN,eAAe,CAAC;MAChD,IAAIC,YAAY,IAAI;QAAEA;MAAa,CAAC;IACtC,CAAC,CAAC;IAEF,MAAMM,uBAAuB,GAAG,MAAMb,QAAQ,CAACD,UAAU,EAAE;MACzDe,MAAM,EAAE,MAAM;MACdC,OAAO,EAAE;QACP,cAAc,EAAE;MAClB,CAAC;MACDC,IAAI,EAAEP,kBAAkB,CAACQ,QAAQ,CAAC;IACpC,CAAC,CAAC,CACCC,IAAI,CAACtB,gBAAgB,CAAC,GAAG,EAAED,yBAAyB,CAAC,CAAC,CACtDuB,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;IAE5B,OAAO;MACLP;IACF,CAAC;EACH;EAEA,MAAMA,uBAAuB,GAAG,MAAMb,QAAQ,CAACD,UAAU,EAAE;IACzDe,MAAM,EAAE;EACV,CAAC,CAAC,CACCI,IAAI,CAACtB,gBAAgB,CAAC,GAAG,EAAED,yBAAyB,CAAC,CAAC,CACtDuB,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC;EAE5B,OAAO;IACLP;EACF,CAAC;AACH,CAAC"}

package/lib/module/credential/presentation/04-retrieve-rp-jwks.js CHANGED Viewed

@@ -1,10 +1,3 @@
-import { JWKS, JWK } from "../../utils/jwk";
-import { hasStatusOrThrow } from "../../utils/misc";
-import { decode as decodeJwt } from "@pagopa/io-react-native-jwt";
-import { NoSuitableKeysFoundInEntityConfiguration } from "./errors";
-import { RequestObject } from "./types";
-import { convertCertToPem, parsePublicKey, getSigningJwk } from "../../utils/crypto";
 /**
  * Defines the signature for a function that retrieves JSON Web Key Sets (JWKS) from a client.
  *
@@ -13,121 +6,6 @@ import { convertCertToPem, parsePublicKey, getSigningJwk } from "../../utils/cry
  * @returns A promise resolving to an object containing an array of JWKs.
  */
-/**
- * Fetches and parses JWKS from a given URI.
- *
- * @param jwksUri - The JWKS URI.
- * @param fetchFn - The fetch function to use.
- * @returns An array of JWKs.
- */
-const fetchJwksFromUri = async (jwksUri, appFetch) => {
-  const jwks = await appFetch(jwksUri, {
-    method: "GET"
-  }).then(hasStatusOrThrow(200)).then(raw => raw.json()).then(json => json.jwks ? JWKS.parse(json.jwks) : JWKS.parse(json));
-  return jwks.keys;
-};
-/**
- * Retrieves JWKS when the client ID scheme includes x509 SAN DNS.
- *
- * @param decodedJwt - The decoded JWT.
- * @param fetchFn - The fetch function to use.
- * @returns An array of JWKs.
- * @throws Will throw an error if no suitable keys are found.
- */
-const getJwksFromX509Cert = async certChain => {
-  if (!Array.isArray(certChain) || certChain.length === 0 || !certChain[0]) {
-    throw new NoSuitableKeysFoundInEntityConfiguration("No RP encrypt key found!");
-  }
-  const pemCert = convertCertToPem(certChain[0]);
-  const publicKey = parsePublicKey(pemCert);
-  if (!publicKey) {
-    throw new NoSuitableKeysFoundInEntityConfiguration("Unsupported public key type.");
-  }
-  const signingJwk = getSigningJwk(publicKey);
-  return [signingJwk];
-};
-/**
- * Constructs the well-known JWKS URL based on the issuer claim.
- *
- * @param issuer - The issuer URL.
- * @returns The well-known JWKS URL.
- */
-const constructWellKnownJwksUrl = issuer => {
-  const issuerUrl = new URL(issuer);
-  return new URL(`/.well-known/jar-issuer${issuerUrl.pathname}`, `${issuerUrl.protocol}//${issuerUrl.host}`).toString();
-};
-/**
- * Fetches the JSON Web Key Set (JWKS) based on the provided Request Object encoded as a JWT.
- * The retrieval process follows these steps in order:
- *
- * 1. **Direct JWK Retrieval**: If the JWT's protected header contains a `jwk` attribute, it uses this key directly.
- * 2. **X.509 Certificate Retrieval**: If the protected header includes an `x5c` attribute, it extracts the JWKs from the provided X.509 certificate chain.
- * 3. **Issuer's Well-Known Endpoint**: If neither `jwk` nor `x5c` are present, it constructs the JWKS URL using the issuer (`iss`) claim and fetches the keys from the issuer's well-known JWKS endpoint.
- *
- * The JWKS URL is constructed in the format `{issUrl.base}/.well-known/jar-issuer${issUrl.path}`,
- * as detailed in the SD-JWT VC issuer metadata specification.
- *
- * @param requestObjectEncodedJwt - The Request Object encoded as a JWT.
- * @param options - Optional parameters for fetching the JWKS.
- * @param options.context - Optional context providing a custom fetch implementation.
- * @param options.context.appFetch - A custom fetch function to replace the global `fetch` if provided.
- * @returns A promise that resolves to an object containing an array of JSON Web Keys (JWKs).
- * @throws {NoSuitableKeysFoundInEntityConfiguration} Throws an error if JWKS retrieval or key extraction fails.
- */
-export const fetchJwksFromRequestObject = async function (requestObjectEncodedJwt) {
-  var _requestObjectJwt$pro, _requestObjectJwt$pay;
-  let {
-    context = {}
-  } = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
-  const {
-    appFetch = fetch
-  } = context;
-  const requestObjectJwt = decodeJwt(requestObjectEncodedJwt);
-  const jwks = [];
-  // 1. check if request object jwt contains the 'jwk' attribute
-  if ((_requestObjectJwt$pro = requestObjectJwt.protectedHeader) !== null && _requestObjectJwt$pro !== void 0 && _requestObjectJwt$pro.jwk) {
-    const keys = [JWK.parse(requestObjectJwt.protectedHeader.jwk)];
-    jwks.push(...keys);
-  }
-  // 2. check if request object jwt contains the 'x5c' attribute
-  if (requestObjectJwt.protectedHeader.x5c) {
-    const keys = await getJwksFromX509Cert(requestObjectJwt.protectedHeader.x5c);
-    jwks.push(...keys);
-  }
-  // 3. check if client_metadata contains the 'jwks' or 'jwks_uri' attribute
-  const requestObject = RequestObject.parse(requestObjectJwt.payload);
-  const {
-    client_metadata
-  } = requestObject;
-  if (client_metadata !== null && client_metadata !== void 0 && client_metadata.jwks_uri) {
-    const fetchedJwks = await fetchJwksFromUri(new URL(client_metadata.jwks_uri).toString(), appFetch);
-    jwks.push(...fetchedJwks);
-  }
-  if (client_metadata !== null && client_metadata !== void 0 && client_metadata.jwks) {
-    jwks.push(...client_metadata.jwks.keys);
-  }
-  // 3. According to Potential profile, retrieve from RP endpoint using iss claim
-  const issuer = (_requestObjectJwt$pay = requestObjectJwt.payload) === null || _requestObjectJwt$pay === void 0 ? void 0 : _requestObjectJwt$pay.iss;
-  if (jwks.length === 0 && typeof issuer === "string") {
-    const wellKnownJwksUrl = constructWellKnownJwksUrl(issuer);
-    const jwksKeys = await fetchJwksFromUri(wellKnownJwksUrl, appFetch);
-    jwks.push(...jwksKeys);
-  }
-  if (jwks.length === 0) {
-    throw new NoSuitableKeysFoundInEntityConfiguration("Request Object signature verification");
-  }
-  return {
-    keys: jwks
-  };
-};
 /**
  * Retrieves the JSON Web Key Set (JWKS) from a Relying Party's entity configuration.
  *
@@ -135,8 +13,8 @@ export const fetchJwksFromRequestObject = async function (requestObjectEncodedJw
  * @returns An object containing an array of JWKs.
  * @throws Will throw an error if the configuration is invalid or if JWKS is not found.
  */
-export const fetchJwksFromConfig = async rpConfig => {
-  const jwks = rpConfig.wallet_relying_party.jwks;
+export const getJwksFromConfig = rpConfig => {
+  const jwks = rpConfig.openid_credential_verifier.jwks;
   if (!jwks || !Array.isArray(jwks.keys)) {
     throw new Error("JWKS not found in Relying Party configuration.");
   }

package/lib/module/credential/presentation/04-retrieve-rp-jwks.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["~~JWKS~~","~~JWK~~","~~hasStatusOrThrow","decode","decodeJwt","NoSuitableKeysFoundInEntityConfiguration","RequestObject","convertCertToPem","parsePublicKey","getSigningJwk","fetchJwksFromUri","jwksUri","appFetch","~~jwks","~~method~~","~~then","raw","json","parse","keys","getJwksFromX509Cert","certChain","~~Array","isArray","~~length~~","pemCert","publicKey","signingJwk","constructWellKnownJwksUrl","issuer","issuerUrl","URL","pathname","protocol","host","toString","fetchJwksFromRequestObject","requestObjectEncodedJwt","_requestObjectJwt$pro","_requestObjectJwt$pay","context","arguments","undefined","fetch","requestObjectJwt","protectedHeader","jwk","push","x5c","requestObject","payload","client_metadata","jwks_uri","fetchedJwks","iss","wellKnownJwksUrl","jwksKeys","fetchJwksFromConfig","rpConfig","wallet_relying_party","Error"],"sourceRoot":"../../../../src","sources":["credential/presentation/04-retrieve-rp-jwks.ts"],"mappings":"~~AAAA,SAASA,IAAI,EAAEC,GAAG,QAAQ,iBAAiB~~;~~AAC3C,SAASC,gBAAgB,QAAQ,kBAAkB;AAEnD,SAASC,MAAM,IAAIC,SAAS,QAAQ,6BAA6B;AACjE,SAASC,wCAAwC,QAAQ,UAAU;AACnE,SAASC,aAAa,QAAQ,SAAS;AACvC,SACEC,gBAAgB,EAChBC,cAAc,EACdC,aAAa,QACR,oBAAoB;;AAE3B;~~AACA;AACA;AACA;AACA;AACA;AACA;;AAKA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,~~MAAMC,gBAAgB,GAAG,MAAAA,CACvBC,OAAe,EACfC,QAA8B,KACX;EACnB,MAAMC,IAAI,GAAG,MAAMD,QAAQ,CAACD,~~OAAO,~~EAAE;IACnCG~~,~~MAAM~~,EAAE;EACV,CAAC,CAAC,CACCC,IAAI,CAACb,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3Ba,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEE,IAAI,IAAMA,IAAI,CAACJ,IAAI,GAAGb,IAAI,CAACkB,KAAK,CAACD,IAAI,CAACJ,IAAI,CAAC,GAAGb,IAAI,CAACkB,KAAK,CAACD,IAAI,CAAE,CAAC;EACzE,OAAOJ,IAAI,CAACM,IAAI;AAClB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMC,mBAAmB,GAAG,MAAOC,SAAmB,IAAqB;EACzE,IAAI,CAACC,KAAK,CAACC,OAAO,CAACF,SAAS,CAAC,IAAIA,SAAS,CAACG,MAAM,KAAK,CAAC,IAAI,CAACH,SAAS,CAAC,CAAC,CAAC,EAAE;IACxE,MAAM,IAAIhB,wCAAwC,CAChD,0BACF,CAAC;EACH;EAEA,MAAMoB,OAAO,GAAGlB,gBAAgB,CAACc,SAAS,CAAC,CAAC,CAAC,CAAC;EAC9C,MAAMK,SAAS,GAAGlB,cAAc,CAACiB,OAAO,CAAC;EACzC,IAAI,CAACC,SAAS,EAAE;IACd,MAAM,IAAIrB,wCAAwC,CAChD,8BACF,CAAC;EACH;EACA,MAAMsB,UAAU,GAAGlB,aAAa,CAACiB,SAAS,CAAC;EAE3C,OAAO,CAACC,UAAU,CAAC;AACrB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA,MAAMC,yBAAyB,GAAIC,~~MAAc~~,~~IAAa;EAC5D,MAAMC,SAAS,GAAG,IAAIC,GAAG,CAACF,MAAM,CAAC;EACjC,OAAO,IAAIE,GAAG,CACX,0BAAyBD,SAAS,CAACE,QAAS,EAAC,EAC7C,GAAEF,SAAS,CAACG,QAAS,KAAIH,SAAS,CAACI,~~IAAK~~,EAC3C,CAAC,CAACC,QAAQ,CAAC,CAAC~~;~~AACd~~,~~CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,~~MAAMC,0BAEZ,GAAG,eAAAA,CAAOC,uBAAuB,EAA4B;EAAA,IAAAC,qBAAA,EAAAC,qBAAA;EAAA,IAA1B;IAAEC,OAAO,GAAG,CAAC;EAAE,CAAC,GAAAC,SAAA,CAAAjB,MAAA,QAAAiB,SAAA,QAAAC,SAAA,GAAAD,SAAA,MAAG,CAAC,CAAC;EACvD,MAAM;IAAE7B,QAAQ,GAAG+B;EAAM,CAAC,GAAGH,OAAO;EACpC,MAAMI,gBAAgB,GAAGxC,SAAS,CAACiC,uBAAuB,CAAC;EAC3D,MAAMxB,IAAW,GAAG,EAAE;;EAEtB;EACA,KAAAyB,qBAAA,GAAIM,gBAAgB,CAACC,eAAe,cAAAP,qBAAA,eAAhCA,qBAAA,CAAkCQ,GAAG,EAAE;IACzC,MAAM3B,IAAI,~~GAAG~~,CAAClB,GAAG,CAACiB,KAAK,CAAC0B,gBAAgB,CAACC,eAAe,CAACC,GAAG,CAAC,CAAC;IAC9DjC,IAAI,CAACkC,IAAI,CAAC,GAAG5B,IAAI,CAAC;EACpB;;EAEA;EACA,IAAIyB,gBAAgB,CAACC,eAAe,CAACG,GAAG,EAAE;IACxC,MAAM7B,IAAI,GAAG,MAAMC,mBAAmB,CACpCwB,gBAAgB,CAACC,eAAe,CAACG,GACnC,CAAC;IACDnC,IAAI,CAACkC,IAAI,CAAC,GAAG5B,IAAI,CAAC;EACpB;;EAEA;EACA,MAAM8B,aAAa,GAAG3C,aAAa,CAACY,KAAK,CAAC0B,gBAAgB,CAACM,OAAO,CAAC;EACnE,MAAM;IAAEC;EAAgB,CAAC,GAAGF,aAAa;EAEzC,IAAIE,eAAe,aAAfA,eAAe,eAAfA,eAAe,CAAEC,QAAQ,~~EAAE;IAC7B~~,~~MAAMC~~,~~WAAW~~,~~GAAG,MAAM3C,gBAAgB,CACxC,IAAIqB,GAAG,CAACoB,eAAe,CAACC,QAAQ,CAAC,CAACjB,QAAQ,CAAC,CAAC,EAC5CvB,QACF,CAAC;IACDC,~~IAAI~~,CAACkC,IAAI,CAAC,GAAGM,WAAW,CAAC~~;~~EAC3B;EAEA~~,~~IAAIF,eAAe,aAAfA,eAAe,eAAfA,eAAe,CAAEtC,~~IAAI,EAAE;IACzBA,IAAI,CAACkC,IAAI,CAAC,GAAGI,eAAe,CAACtC,IAAI,CAACM,IAAI,CAAC;EACzC;;EAEA;EACA,MAAMU,MAAM,IAAAU,qBAAA,GAAGK,gBAAgB,CAACM,OAAO,cAAAX,qBAAA,uBAAxBA,qBAAA,CAA0Be,GAAG;EAC5C,IAAIzC,IAAI,CAACW,MAAM,KAAK,CAAC,IAAI,OAAOK,MAAM,KAAK,QAAQ,EAAE;IACnD,MAAM0B,gBAAgB,GAAG3B,yBAAyB,CAACC,MAAM,CAAC;IAC1D,MAAM2B,QAAQ,GAAG,MAAM9C,gBAAgB,CAAC6C,gBAAgB,EAAE3C,QAAQ,CAAC;IACnEC,IAAI,CAACkC,IAAI,CAAC,GAAGS,QAAQ,CAAC;EACxB;EAEA,IAAI3C,IAAI,CAACW,MAAM,KAAK,CAAC,EAAE;IACrB,MAAM,IAAInB,wCAAwC,CAChD,uCACF,CAAC;EACH;EAEA,OAAO;IAAEc,IAAI,EAAEN;EAAK,CAAC;AACvB,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAM4C,mBAEZ,GAAG,MAAOC,QAAQ,IAAK;EACtB,MAAM7C,IAAI,GAAG6C,QAAQ,CAACC,oBAAoB,CAAC9C,IAAI;EAE/C,IAAI,CAACA,IAAI,IAAI,~~CAACS~~,KAAK,CAACC,OAAO,~~CAACV~~,IAAI,~~CAACM~~,IAAI,CAAC,EAAE;IACtC,MAAM,~~IAAIyC~~,KAAK,CAAC,gDAAgD,CAAC;EACnE;EAEA,OAAO;~~IACLzC~~,IAAI,~~EAAEN~~,IAAI,~~CAACM~~;EACb,CAAC;AACH,CAAC"}
1	+ {"version":3,"names":["getJwksFromConfig","rpConfig","jwks","openid_credential_verifier","Array","isArray","keys","Error"],"sourceRoot":"../../../../src","sources":["credential/presentation/04-retrieve-rp-jwks.ts"],"mappings":"AAGA;AACA;AACA;AACA;AACA;AACA;AACA;;AAKA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMA,iBAEZ,GAAIC,QAAQ,IAAK;EAChB,MAAMC,IAAI,GAAGD,QAAQ,CAACE,0BAA0B,CAACD,IAAI;EAErD,IAAI,CAACA,IAAI,IAAI,CAACE,KAAK,CAACC,OAAO,CAACH,IAAI,CAACI,IAAI,CAAC,EAAE;IACtC,MAAM,IAAIC,KAAK,CAAC,gDAAgD,CAAC;EACnE;EAEA,OAAO;IACLD,IAAI,EAAEJ,IAAI,CAACI;EACb,CAAC;AACH,CAAC"}

package/lib/module/credential/presentation/05-verify-request-object.js CHANGED Viewed

@@ -1,33 +1,88 @@
-import { UnverifiedEntityError } from "./errors";
 import { decode as decodeJwt, verify } from "@pagopa/io-react-native-jwt";
+import { InvalidRequestObjectError } from "./errors";
 import { RequestObject } from "./types";
-export const verifyRequestObjectSignature = async (requestObjectEncodedJwt, jwkKeys) => {
+import { getJwksFromConfig } from "./04-retrieve-rp-jwks";
+/**
+ * Function to verify the Request Object's validity, from the signature to the required properties.
+ * @param requestObjectEncodedJwt The Request Object in JWT format
+ * @param context.clientId The client ID to verify
+ * @param context.rpConf The Entity Configuration of the Relying Party
+ * @param context.state Optional state
+ * @returns The verified Request Object
+ * @throws {InvalidRequestObjectError} if the Request Object cannot be validated
+ */
+export const verifyRequestObject = async (requestObjectEncodedJwt, _ref) => {
+  let {
+    clientId,
+    rpConf,
+    rpSubject,
+    state
+  } = _ref;
   const requestObjectJwt = decodeJwt(requestObjectEncodedJwt);
-  // verify token signature to ensure the request object is authentic
-  const pubKey = (jwkKeys === null || jwkKeys === void 0 ? void 0 : jwkKeys.find(_ref => {
-    let {
-      kid
-    } = _ref;
-    return kid === requestObjectJwt.protectedHeader.kid;
-  })) || (jwkKeys === null || jwkKeys === void 0 ? void 0 : jwkKeys.find(_ref2 => {
-    let {
-      use
-    } = _ref2;
-    return use === "sig";
-  }));
-  if (!pubKey) {
-    throw new UnverifiedEntityError("Request Object signature verification!");
+  const pubKey = getSigPublicKey(rpConf, requestObjectJwt.protectedHeader.kid);
+  try {
+    // Standard claims are verified within `verify`
+    await verify(requestObjectEncodedJwt, pubKey, {
+      issuer: clientId
+    });
+  } catch (_) {
+    throw new InvalidRequestObjectError("The Request Object signature verification failed");
+  }
+  const requestObject = validateRequestObjectShape(requestObjectJwt.payload);
+  const isClientIdMatch = clientId === requestObject.client_id && clientId === rpSubject;
+  if (!isClientIdMatch) {
+    throw new InvalidRequestObjectError("Client ID does not match Request Object or Entity Configuration");
   }
-  await verify(requestObjectEncodedJwt, pubKey);
-  const requestObject = RequestObject.parse(requestObjectJwt.payload);
-  // Check if exp exists and is expired
-  // exp is typically in seconds since epoch, Get current time in seconds
-  if (requestObject.exp && requestObject.exp <= Date.now() / 1000) {
-    throw new UnverifiedEntityError("Request Object is expired!");
+  const isStateMatch = state && requestObject.state ? state === requestObject.state : true;
+  if (!isStateMatch) {
+    throw new InvalidRequestObjectError("The provided state does not match the Request Object's");
   }
   return {
     requestObject
   };
 };
+/**
+ * Validate the shape of the Request Object to ensure all required properties are present and are of the expected type.
+ *
+ * @param payload The Request Object to validate
+ * @returns A valid Request Object
+ * @throws {InvalidRequestObjectError} when the Request Object cannot be parsed
+ */
+const validateRequestObjectShape = payload => {
+  const requestObjectParse = RequestObject.safeParse(payload);
+  if (requestObjectParse.success) {
+    return requestObjectParse.data;
+  }
+  throw new InvalidRequestObjectError("The Request Object cannot be parsed successfully", formatFlattenedZodErrors(requestObjectParse.error.flatten()));
+};
+/**
+ * Get the public key to verify the Request Object's signature from the Relying Party's EC.
+ *
+ * @param rpConf The Relying Party's EC
+ * @param kid The identifier of the key to find
+ * @returns The corresponding public key to verify the signature
+ * @throws {InvalidRequestObjectError} when the key cannot be found
+ */
+const getSigPublicKey = (rpConf, kid) => {
+  try {
+    const {
+      keys
+    } = getJwksFromConfig(rpConf);
+    const pubKey = keys.find(k => k.kid === kid);
+    if (!pubKey) throw new Error();
+    return pubKey;
+  } catch (_) {
+    throw new InvalidRequestObjectError(`The public key for signature verification (${kid}) cannot be found in the Entity Configuration`);
+  }
+};
+/**
+ * Utility to format flattened Zod errors into a simplified string `key1: key1_error, key2: key2_error`
+ */
+const formatFlattenedZodErrors = errors => Object.entries(errors.fieldErrors).map(_ref2 => {
+  let [key, error] = _ref2;
+  return `${key}: ${error[0]}`;
+}).join(", ");
 //# sourceMappingURL=05-verify-request-object.js.map

package/lib/module/credential/presentation/05-verify-request-object.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["~~UnverifiedEntityError","~~decode","decodeJwt","verify","RequestObject","~~verifyRequestObjectSignature~~","requestObjectEncodedJwt","~~jwkKeys~~","~~requestObjectJwt~~","~~pubKey~~","~~find~~","~~_ref~~","~~kid~~","protectedHeader","~~_ref2~~","~~use~~","requestObject","~~parse~~","payload","~~exp~~","~~Date~~","~~now~~"],"sourceRoot":"../../../../src","sources":["credential/presentation/05-verify-request-object.ts"],"mappings":"AAAA,SAASA,~~qBAAqB,QAAQ,UAAU;AAEhD,SAASC,~~MAAM,IAAIC,SAAS,EAAEC,MAAM,QAAQ,6BAA6B;~~AACzE~~,SAASC,aAAa,QAAQ,SAAS;~~AASvC~~,OAAO,MAAMC,~~4BAA0D~~,~~GACrE~~,MAAAA,~~CAAOC~~,uBAAuB,~~EAAEC~~,~~OAAO~~,~~KAAK~~;~~EAC1C~~,~~MAAMC~~,gBAAgB,~~GAAGN~~,SAAS,~~CAACI~~,uBAAuB,CAAC;;EAE3D~~;EACA~~,~~MAAMG~~,MAAM,~~GACV~~,~~CAAAF~~,~~OAAO~~,~~aAAPA~~,~~OAAO~~,~~uBAAPA~~,~~OAAO~~,~~CAAEG~~,~~IAAI~~,~~CACXC~~,~~IAAA~~;~~IAAA~~,~~IAAC~~;~~MAAEC~~;~~IAAI~~,~~CAAC~~,~~GAAAD~~,~~IAAA~~;~~IAAA~~,~~OAAKC~~,~~GAAG~~,~~KAAKJ~~,~~gBAAgB~~,~~CAACK~~,~~eAAe~~,~~CAACD~~,~~GAAG~~;~~EAAA~~,~~CAC3D~~,CAAC,~~MAAIL~~,~~OAAO~~,~~aAAPA~~,~~OAAO~~,~~uBAAPA~~,OAAO,~~CAAEG~~,~~IAAI~~,CAACI,~~KAAA~~;~~IAAA~~,~~IAAC;MAAEC;~~IAAI,~~CAAC~~,~~GAAAD~~,~~KAAA~~;~~IAAA~~,~~OAAKC~~,~~GAAG~~,KAAK,KAAK~~;EAAA~~,~~EAAC~~;~~EAEhD~~,IAAI,~~CAACN~~,~~MAAM~~,EAAE;~~IACX~~,MAAM,~~IAAIT~~,~~qBAAqB~~,CAAC,~~wCAAwC~~,CAAC;~~EAC3E~~;~~EACA~~,~~MAAMG~~,~~MAAM~~,~~CAACG~~,~~uBAAuB~~,~~EAAEG~~,~~MAAM~~,CAAC;~~EAE7C~~,~~MAAMO~~,~~aAAa~~,~~GAAGZ~~,~~aAAa~~,~~CAACa~~,~~KAAK~~,~~CAACT~~,~~gBAAgB~~,~~CAACU~~,OAAO,CAAC;~~EACnE~~;~~EACA~~;~~EACA~~,~~IAAIF~~,~~aAAa~~,~~CAACG~~,~~GAAG~~,~~IAAIH~~,~~aAAa~~,~~CAACG~~,~~GAAG~~,~~IAAIC~~,IAAI,CAACC,~~GAAG~~,CAAC,CAAC,GAAG,IAAI,EAAE;~~IAC/D~~,MAAM,~~IAAIrB~~,~~qBAAqB~~,CAAC,~~4BAA4B~~,CAAC;~~EAC/D~~;~~EAEA~~,OAAO;~~IAAEgB~~;~~EAAc~~,CAAC;~~AAC1B~~,CAAC"}
1	+ {"version":3,"names":["decode","decodeJwt","verify","InvalidRequestObjectError","RequestObject","getJwksFromConfig","verifyRequestObject","requestObjectEncodedJwt","_ref","clientId","rpConf","rpSubject","state","requestObjectJwt","pubKey","getSigPublicKey","protectedHeader","kid","issuer","_","requestObject","validateRequestObjectShape","payload","isClientIdMatch","client_id","isStateMatch","requestObjectParse","safeParse","success","data","formatFlattenedZodErrors","error","flatten","keys","find","k","Error","errors","Object","entries","fieldErrors","map","_ref2","key","join"],"sourceRoot":"../../../../src","sources":["credential/presentation/05-verify-request-object.ts"],"mappings":"AAAA,SAASA,MAAM,IAAIC,SAAS,EAAEC,MAAM,QAAQ,6BAA6B;AAEzE,SAASC,yBAAyB,QAAQ,UAAU;AACpD,SAASC,aAAa,QAAQ,SAAS;AACvC,SAASC,iBAAiB,QAAQ,uBAAuB;AAYzD;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMC,mBAAwC,GAAG,MAAAA,CACtDC,uBAAuB,EAAAC,IAAA,KAEpB;EAAA,IADH;IAAEC,QAAQ;IAAEC,MAAM;IAAEC,SAAS;IAAEC;EAAM,CAAC,GAAAJ,IAAA;EAEtC,MAAMK,gBAAgB,GAAGZ,SAAS,CAACM,uBAAuB,CAAC;EAE3D,MAAMO,MAAM,GAAGC,eAAe,CAACL,MAAM,EAAEG,gBAAgB,CAACG,eAAe,CAACC,GAAG,CAAC;EAE5E,IAAI;IACF;IACA,MAAMf,MAAM,CAACK,uBAAuB,EAAEO,MAAM,EAAE;MAAEI,MAAM,EAAET;IAAS,CAAC,CAAC;EACrE,CAAC,CAAC,OAAOU,CAAC,EAAE;IACV,MAAM,IAAIhB,yBAAyB,CACjC,kDACF,CAAC;EACH;EAEA,MAAMiB,aAAa,GAAGC,0BAA0B,CAACR,gBAAgB,CAACS,OAAO,CAAC;EAE1E,MAAMC,eAAe,GACnBd,QAAQ,KAAKW,aAAa,CAACI,SAAS,IAAIf,QAAQ,KAAKE,SAAS;EAEhE,IAAI,CAACY,eAAe,EAAE;IACpB,MAAM,IAAIpB,yBAAyB,CACjC,iEACF,CAAC;EACH;EAEA,MAAMsB,YAAY,GAChBb,KAAK,IAAIQ,aAAa,CAACR,KAAK,GAAGA,KAAK,KAAKQ,aAAa,CAACR,KAAK,GAAG,IAAI;EAErE,IAAI,CAACa,YAAY,EAAE;IACjB,MAAM,IAAItB,yBAAyB,CACjC,wDACF,CAAC;EACH;EAEA,OAAO;IAAEiB;EAAc,CAAC;AAC1B,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMC,0BAA0B,GAAIC,OAAgB,IAAoB;EACtE,MAAMI,kBAAkB,GAAGtB,aAAa,CAACuB,SAAS,CAACL,OAAO,CAAC;EAE3D,IAAII,kBAAkB,CAACE,OAAO,EAAE;IAC9B,OAAOF,kBAAkB,CAACG,IAAI;EAChC;EAEA,MAAM,IAAI1B,yBAAyB,CACjC,kDAAkD,EAClD2B,wBAAwB,CAACJ,kBAAkB,CAACK,KAAK,CAACC,OAAO,CAAC,CAAC,CAC7D,CAAC;AACH,CAAC;;AAED;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,MAAMjB,eAAe,GAAGA,CACtBL,MAA8D,EAC9DO,GAAuB,KACpB;EACH,IAAI;IACF,MAAM;MAAEgB;IAAK,CAAC,GAAG5B,iBAAiB,CAACK,MAAM,CAAC;IAE1C,MAAMI,MAAM,GAAGmB,IAAI,CAACC,IAAI,CAAEC,CAAC,IAAKA,CAAC,CAAClB,GAAG,KAAKA,GAAG,CAAC;IAE9C,IAAI,CAACH,MAAM,EAAE,MAAM,IAAIsB,KAAK,CAAC,CAAC;IAE9B,OAAOtB,MAAM;EACf,CAAC,CAAC,OAAOK,CAAC,EAAE;IACV,MAAM,IAAIhB,yBAAyB,CAChC,8CAA6Cc,GAAI,+CACpD,CAAC;EACH;AACF,CAAC;;AAED;AACA;AACA;AACA,MAAMa,wBAAwB,GAC5BO,MAA+C,IAE/CC,MAAM,CAACC,OAAO,CAACF,MAAM,CAACG,WAAW,CAAC,CAC/BC,GAAG,CAACC,KAAA;EAAA,IAAC,CAACC,GAAG,EAAEZ,KAAK,CAAC,GAAAW,KAAA;EAAA,OAAM,GAAEC,GAAI,KAAIZ,KAAK,CAAC,CAAC,CAAE,EAAC;AAAA,EAAC,CAC5Ca,IAAI,CAAC,IAAI,CAAC"}

package/lib/module/credential/presentation/06-fetch-presentation-definition.js CHANGED Viewed

@@ -1,28 +1,19 @@
-import { PresentationDefinition } from "./types";
-import { hasStatusOrThrow } from "../../utils/misc";
 /**
  * Retrieves a PresentationDefinition based on the given parameters.
  *
  * The method attempts the following strategies in order:
  * 1. Checks if `presentation_definition` is directly available in the request object.
- * 2. Fetches the `presentation_definition` from the URI provided in the relying party configuration.
- * 3. Uses a pre-configured `presentation_definition` from the relying party configuration if the `scope` is present in the request object.
+ * 2. Uses a pre-configured `presentation_definition` from the relying party configuration if the `scope` is present in the request object.
  *
- * If none of the above conditions are met, the function throws an error indicating the definition could not be found.
+ * If none of the above conditions are met, the function throws an error indicating the definition could not be found. Note that `presentation_definition_uri` is not supported in 0.9.x.
  *
  * @param {RequestObject} requestObject - The request object containing the presentation definition or references to it.
  * @param {RelyingPartyEntityConfiguration["payload"]["metadata"]} [rpConf] - Optional relying party configuration.
- * @param {Object} [context] - Optional context for providing a custom fetch implementation.
- * @param {GlobalFetch["fetch"]} [context.appFetch] - Custom fetch function, defaults to global `fetch`.
  * @returns {Promise<{ presentationDefinition: PresentationDefinition }>} - Resolves with the presentation definition.
  * @throws {Error} - Throws if the presentation definition cannot be found or fetched.
  */
-export const fetchPresentDefinition = async function (requestObject) {
-  var _rpConf$wallet_relyin, _rpConf$wallet_relyin2;
-  let {
-    appFetch = fetch
-  } = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : {};
-  let rpConf = arguments.length > 2 ? arguments[2] : undefined;
+export const fetchPresentDefinition = async (requestObject, rpConf) => {
+  var _rpConf$openid_creden;
   // Check if `presentation_definition` is directly available in the request object
   if (requestObject.presentation_definition) {
     return {
@@ -30,25 +21,10 @@ export const fetchPresentDefinition = async function (requestObject) {
     };
   }
-  // Check if `presentation_definition_uri` is provided in the relying party configuration
-  if (rpConf !== null && rpConf !== void 0 && (_rpConf$wallet_relyin = rpConf.wallet_relying_party) !== null && _rpConf$wallet_relyin !== void 0 && _rpConf$wallet_relyin.presentation_definition_uri) {
-    try {
-      // Fetch the presentation definition from the provided URI
-      const presentationDefinition = await appFetch(rpConf === null || rpConf === void 0 ? void 0 : rpConf.wallet_relying_party.presentation_definition_uri, {
-        method: "GET"
-      }).then(hasStatusOrThrow(200)).then(raw => raw.json()).then(json => PresentationDefinition.parse(json));
-      return {
-        presentationDefinition
-      };
-    } catch (error) {
-      throw new Error(`Failed to fetch presentation definition: ${error}`);
-    }
-  }
   // Check if `scope` is present in the request object and a pre-configured presentation definition exists
-  if (requestObject.scope && rpConf !== null && rpConf !== void 0 && (_rpConf$wallet_relyin2 = rpConf.wallet_relying_party) !== null && _rpConf$wallet_relyin2 !== void 0 && _rpConf$wallet_relyin2.presentation_definition) {
+  if (requestObject.scope && rpConf !== null && rpConf !== void 0 && (_rpConf$openid_creden = rpConf.openid_credential_verifier) !== null && _rpConf$openid_creden !== void 0 && _rpConf$openid_creden.presentation_definition) {
     return {
-      presentationDefinition: rpConf.wallet_relying_party.presentation_definition
+      presentationDefinition: rpConf.openid_credential_verifier.presentation_definition
     };
   }
   throw new Error("Presentation definition not found");

package/lib/module/credential/presentation/06-fetch-presentation-definition.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"names":["~~PresentationDefinition","hasStatusOrThrow","~~fetchPresentDefinition","requestObject","~~_rpConf$wallet_relyin~~","_rpConf$~~wallet_relyin2~~","~~appFetch","fetch","arguments","length","undefined","rpConf","~~presentation_definition","presentationDefinition","~~wallet_relying_party~~","~~presentation_definition_uri~~","~~method","then","raw","json","parse","error","~~Error"~~,"scope"~~],"sourceRoot":"../../../../src","sources":["credential/presentation/06-fetch-presentation-definition.ts"],"mappings":"~~AAAA,SAASA,sBAAsB,QAAuB,SAAS~~;~~AAE/D,SAASC,gBAAgB,QAAQ,kBAAkB;AAYnD;~~AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA~~;AACA;AACA;AACA~~,OAAO,~~MAAMC~~,sBAAmD,GAAG,~~eAAAA~~,CACjEC,aAAa,~~EAGV~~;EAAA,IAAAC,qBAAA~~,EAAAC,sBAAA~~;~~EAAA,IAFH~~;~~IAAEC,QAAQ,GAAGC;EAAM,CAAC,GAAAC,SAAA,CAAAC,MAAA,QAAAD,SAAA,QAAAE,SAAA,GAAAF,SAAA,MAAG,CAAC,CAAC;EAAA,IACzBG,MAAM,GAAAH,SAAA,CAAAC,MAAA,OAAAD,SAAA,MAAAE,SAAA;EAEN;~~EACA,~~IAAIP~~,aAAa,~~CAACS~~,uBAAuB,EAAE;IACzC,OAAO;MACLC,sBAAsB,~~EAAEV~~,aAAa,~~CAACS~~;IACxC,CAAC;EACH;;EAEA;EACA,~~IAAID~~,MAAM,aAANA,MAAM,gBAAAP,qBAAA,GAANO,MAAM,CAAEG,oBAAoB,cAAAV,qBAAA,eAA5BA,qBAAA,CAA8BW,2BAA2B,EAAE;IAC7D,IAAI;MACF;MACA,MAAMF,sBAAsB,GAAG,MAAMP,QAAQ,CAC3CK,MAAM,aAANA,MAAM,uBAANA,MAAM,CAAEG,oBAAoB,CAACC,2BAA2B,EACxD;QACEC,MAAM,EAAE;MACV,CACF,CAAC,CACEC,IAAI,CAAChB,gBAAgB,CAAC,GAAG,CAAC,CAAC,CAC3BgB,IAAI,CAAEC,GAAG,IAAKA,GAAG,CAACC,IAAI,CAAC,CAAC,CAAC,CACzBF,IAAI,CAAEE,IAAI,IAAKnB,sBAAsB,CAACoB,KAAK,CAACD,IAAI,CAAC,CAAC;MAErD,OAAO;QACLN;MACF,CAAC;IACH,CAAC,CAAC,OAAOQ,KAAK,EAAE;MACd,MAAM,IAAIC,KAAK,CAAE,4CAA2CD,KAAM,EAAC,CAAC;IACtE;EACF;;EAEA;EACA,IACElB,aAAa,~~CAACoB~~,KAAK,~~IACnBZ~~,MAAM,aAANA,MAAM,~~gBAAAN~~,~~sBAAA~~,~~GAANM~~,MAAM,~~CAAEG~~,~~oBAAoB~~,~~cAAAT~~,~~sBAAA~~,~~eAA5BA~~,~~sBAAA~~,~~CAA8BO~~,uBAAuB,~~EACrD~~;IACA,OAAO;MACLC,sBAAsB,~~EACpBF~~,MAAM,~~CAACG~~,~~oBAAoB~~,~~CAACF~~;~~IAChC~~,CAAC;EACH;EAEA,MAAM,~~IAAIU~~,KAAK,CAAC,mCAAmC,CAAC;AACtD,CAAC"}
1	+ {"version":3,"names":["fetchPresentDefinition","requestObject","rpConf","_rpConf$openid_creden","presentation_definition","presentationDefinition","scope","openid_credential_verifier","Error"],"sourceRoot":"../../../../src","sources":["credential/presentation/06-fetch-presentation-definition.ts"],"mappings":"AAUA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA;AACA,OAAO,MAAMA,sBAAmD,GAAG,MAAAA,CACjEC,aAAa,EACbC,MAAM,KACH;EAAA,IAAAC,qBAAA;EACH;EACA,IAAIF,aAAa,CAACG,uBAAuB,EAAE;IACzC,OAAO;MACLC,sBAAsB,EAAEJ,aAAa,CAACG;IACxC,CAAC;EACH;;EAEA;EACA,IACEH,aAAa,CAACK,KAAK,IACnBJ,MAAM,aAANA,MAAM,gBAAAC,qBAAA,GAAND,MAAM,CAAEK,0BAA0B,cAAAJ,qBAAA,eAAlCA,qBAAA,CAAoCC,uBAAuB,EAC3D;IACA,OAAO;MACLC,sBAAsB,EACpBH,MAAM,CAACK,0BAA0B,CAACH;IACtC,CAAC;EACH;EAEA,MAAM,IAAII,KAAK,CAAC,mCAAmC,CAAC;AACtD,CAAC"}