@pagopa/io-react-native-wallet 1.7.1 → 2.0.0-next.0

package/src/credential/presentation/README.md

@@ -1,112 +1,107 @@
 # Credential Presentation
 
+This flow is used for remote presentation, allowing a user with a valid Wallet Instance to remotely present credentials to a Relying Party (Verifier). The presentation flow adheres to the [IT Wallet 0.9.x specification](https://italia.github.io/eid-wallet-it-docs/v0.9.3/en/relying-party-solution.html).
+
+The Relying Party provides the Wallet with a Request Object that contains the requested credentials and claims. The Wallet validates the Request Object and asks the user for consent. Then the Wallet creates an encrypted Authorization Response that contains the Verifiable Presentation with the requested data (`vp_token`) and sends it to the Relying Party.
+
 ## Sequence Diagram
 
 ```mermaid
 sequenceDiagram
-      autonumber
-      participant I as Individual using EUDI Wallet
-      participant O as Organisational Wallet (Verifier)
-      participant A as Organisational Wallet (Issuer)
-
-      O->>+I: QR-CODE: Authorisation request (`request_uri`)
-      I->>+O: GET: Request object, resolved from the `request_uri`
-      O->>+I: Respond with the Request object
-      I->>+O: GET: /.well-known/jar-issuer/jwk
-      O->>+I: Respond with the public key
-
-      I->>+O: POST: VP token response
-      O->>+A: GET: /.well-known/jwt-vc-issuer/jwk
-      A->>+O: Respond with the public key
-      O->>+I: Redirect: Authorisation response
+  autonumber
+  participant I as User (Wallet Instance)
+  participant O as Relying Party (Verifier)
+
+  O->>+I: QR-CODE: Authorization Request (`request_uri`)
+  I->>+O: GET: Verifier's Entity Configuration
+  O->>+I: Respond with metadata (including public keys)
+  I->>+O: GET: Request Object, resolved from `request_uri`
+  O->>+I: Respond with the Request Object
+  I->>+I: Validate Request Object and give consent
+  I->>+O: POST: Authorization Response with encrypted VP token
+  O->>+I: Respond with optional `redirect_uri`
 ```
 
 ## Mapped results
 
+| Error                       | Description|
+| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `InvalidRequestObject`      | The Request Object is not valid, for instance it is malformed or its signature cannot be verified.                                                     |
+| `DcqlError`                 | The DCQL query cannot be evaluated because it contains errors.                                                                                         |
+| `CredentialsNotFoundError`  | The presentation cannot be completed because the Wallet does not contain all requested credentials. The missing credentials can be found in `details`. |
+| `RelyingPartyResponseError` | Error in the Relying Party's response. See the next table for more details.                                                                            |
+
+#### RelyingPartyResponseError
+The following HTTP errors are mapped to a `RelyingPartyResponseError` with specific codes.
+
+| HTTP Status  | Error Code                              | Description                                                                                                  |
+| ------------ | --------------------------------------- | ------------------------------------------------------------------------------------------------------------ |
+| `400`, `403` | `ERR_RP_INVALID_AUTHORIZATION_RESPONSE` | The Relying Party rejected the Authorization Response sent by the Wallet because it was deemed invalid.      |
+| `*`          | `ERR_RP_GENERIC_ERROR`                  | This is a generic error code to map unexpected errors that occurred when interacting with the Relying Party. |
+
+
 ## Examples
 
 <details>
   <summary>Remote Presentation flow</summary>
 
+**Note:** To successfully complete a remote presentation, the Wallet Instance must be in a valid state with a valid Wallet Instance Attestation.
+
 ```ts
-// Scan e retrive qr-code, decode it and get its parameters
-const {requestUri, clientId} = ...
-
-// Retrieve the integrity key tag from the store and create its context
-const integrityKeyTag = "example"; // Let's assume this is the key tag used to create the wallet instance
-const integrityContext = getIntegrityContext(integrityKeyTag);
-
-// Let's assume the key esists befor starting the presentation process
-const wiaCryptoContext = createCryptoContextFor(WIA_KEYTAG);
-
-const { WALLET_PROVIDER_BASE_URL, WALLET_EAA_PROVIDER_BASE_URL, REDIRECT_URI } =
-  env; // Let's assume these are the environment variables
-
-/**
- * Obtains a new Wallet Instance Attestation.
- * WARNING: The integrity context must be the same used when creating the Wallet Instance with the same keytag.
- */
-const walletInstanceAttestation =
-  await WalletInstanceAttestation.getAttestation({
-    wiaCryptoContext,
-    integrityContext,
-    walletProviderBaseUrl: WALLET_PROVIDER_BASE_URL,
-    appFetch,
-  });
+// Retrieve and scan the qr-code, decode it and get its parameters
+const qrCodeParams = decodeQrCode(qrCode)
 
 // Start the issuance flow
-const { requestURI, clientId } = Credential.Presentation.startFlowFromQR(requestUri, clientId);
+const {
+  request_uri,
+  client_id,
+  request_uri_method,
+  state
+} = Credential.Presentation.startFlowFromQR(qrCodeParams);
 
-// If use trust federation: Evaluate issuer trust
-const { rpConf } = await Credential.Presentation.evaluateRelyingPartyTrust(clientId);
+// Get the Relying Party's Entity Configuration and evaluate trust
+const { rpConf } = await Credential.Presentation.evaluateRelyingPartyTrust(client_id);
 
+// Get the Request Object from the RP
 const { requestObjectEncodedJwt } =
-    await Credential.Presentation.getRequestObject(requestURI, {
-      appFetch: appFetch
-    });
-
-// Retrieve RP JWK
-// If use trust federation: Fetch Jwks from rpConf
-const jwks = await Credential.Presentation.fetchJwksFromConfig(rpConf);
+  await Credential.Presentation.getRequestObject(request_uri);
 
-// If not use trust: Fetch Jwks from request object
-const jwks = await Credential.Presentation.fetchJwksFromRequestObject(
+// Validate the Request Object
+const { requestObject } = await Credential.Presentation.verifyRequestObject(
   requestObjectEncodedJwt,
-  { context: { appFetch } }
+  { clientId: client_id, rpConf }
 );
 
-// Verify signature Request Object
-const { requestObject } =
-    await Credential.Presentation.verifyRequestObjectSignature(
-      requestObjectEncodedJwt,
-      jwks.keys
-    );
+// All the credentials that might be requested by the Relying Party
+const credentialsSdJwt = [
+  ["credential1_keytag", "eyJraWQiOiItRl82VWdhOG4zVmVnalkyVTdZVUhLMXpMb2FELU5QVGM2M1JNSVNuTGF3IiwidHlwIjoidmMrc2Qtand0IiwiYWxnIjoiRVMyNTYifQ.eyJfc2"],
+  ["credential2_keytag", "eyJ0eXAiOiJ2YytzZC1qd3QiLCJhbGciOiJFUzI1NiIsImtpZCI6Ii1GXzZVZ2E4bjNWZWdqWTJVN1lVSEsxekxvYUQtTlBUYzYzUk1JU25MYXcifQ.ew0KIC"]
+];
 
-
-const { presentationDefinition } = await Credential.Presentation.fetchPresentDefinition(
-  requestObject,
-  {
-    appFetch: appFetch,
-  },
-  rpConf // If trust federation is used
+const result = Credential.Presentation.evaluateDcqlQuery(
+  credentialsSdJwt,
+  requestObject.dcql_query as DcqlQuery
 );
 
-// For each credential, find it and evaluate input descriptor and disclosures
-  const { requiredDisclosures } = Credential.Presentation.evaluateInputDescriptionForSdJwt4VC(
-    inputDescriptor,
-    credential.payload,
-    disclosures
-  );
+const credentialsToPresent = result.map(
+  ({ requiredDisclosures, ...rest }) => ({
+    ...rest,
+    requestedClaims: requiredDisclosures.map(([, claimName]) => claimName),
+  })
+);
 
-// After confirm disclosures in app
-  const authResponse = Credential.Presentation.sendAuthorizationResponse(
-    requestObject,
-    presentationDefinition,
-    jwks,
-    [credential, disclosuresRequested, { appFetch: appFetch }]
+const remotePresentations =
+  await Credential.Presentation.prepareRemotePresentations(
+    credentialsToPresent,
+    requestObject.nonce,
+    requestObject.client_id
   );
 
-
+const authResponse = await Credential.Presentation.sendAuthorizationResponse(
+  requestObject,
+  remotePresentations,
+  rpConf
+);
 ```
 
-</details>
+</details>

package/src/credential/presentation/errors.ts

@@ -1,4 +1,5 @@
 import { IoWalletError, serializeAttrs } from "../../utils/errors";
+export { DcqlError } from "dcql";
 
 /**
  * An error subclass thrown when auth request decode fail
@@ -41,18 +42,33 @@ export class NoSuitableKeysFoundInEntityConfiguration extends IoWalletError {
 }
 
 /**
- * When the entity is unverified because the Relying Party is not trusted.
+ * When a QR code is not valid.
  *
  */
-export class UnverifiedEntityError extends IoWalletError {
-  code = "ERR_UNVERIFIED_RP_ENTITY";
+export class InvalidQRCodeError extends IoWalletError {
+  code = "ERR_INVALID_QR_CODE";
+
+  /** Detailed reason for the QR code validation failure. */
+  reason: string;
 
-  /**
-   * @param reason A description of why the entity cannot be verified.
-   */
   constructor(reason: string) {
-    const message = `Unverified entity: ${reason}.`;
+    super("Invalid QR code");
+    this.reason = reason;
+  }
+}
+
+/**
+ * When the Request Object sent by the Relying Party is not valid
+ */
+export class InvalidRequestObjectError extends IoWalletError {
+  code = "ERR_INVALID_REQUEST_OBJECT";
+
+  /** Detailed reason for the Request Object validation failure. */
+  reason: string;
+
+  constructor(message: string, reason = "unspecified") {
     super(message);
+    this.reason = reason;
   }
 }
 
@@ -72,18 +88,25 @@ export class MissingDataError extends IoWalletError {
   }
 }
 
+export type NotFoundDetail = {
+  id: string;
+  reason?: string;
+  vctValues?: string[];
+};
+
 /**
- * When a credential is not found in the wallet.
- *
+ * Error thrown when one or more credentials cannot be found in the wallet
+ * and the presentation request cannot be satisfied.
  */
-export class CredentialNotFoundError extends IoWalletError {
-  code = "ERR_CREDENTIAL_NOT_FOUND";
+export class CredentialsNotFoundError extends IoWalletError {
+  code = "ERR_CREDENTIALS_NOT_FOUND";
+  details: NotFoundDetail[];
 
   /**
-   * @param credentialId The ID of the credential that was not found.
+   * @param details The details of the credentials that could not be found.
    */
-  constructor(credentialId: string) {
-    const message = `Credential not found: ${credentialId}.`;
-    super(message);
+  constructor(details: NotFoundDetail[]) {
+    super("One or more credentials cannot be found in the wallet");
+    this.details = details;
   }
 }

package/src/credential/presentation/index.ts

@@ -7,14 +7,10 @@ import {
   getRequestObject,
   type GetRequestObject,
 } from "./03-get-request-object";
+import { getJwksFromConfig, type FetchJwks } from "./04-retrieve-rp-jwks";
 import {
-  fetchJwksFromRequestObject,
-  fetchJwksFromConfig,
-  type FetchJwks,
-} from "./04-retrieve-rp-jwks";
-import {
-  verifyRequestObjectSignature,
-  type VerifyRequestObjectSignature,
+  verifyRequestObject,
+  type VerifyRequestObject,
 } from "./05-verify-request-object";
 import {
   fetchPresentDefinition,
@@ -22,38 +18,40 @@ import {
 } from "./06-fetch-presentation-definition";
 import {
   evaluateInputDescriptors,
+  prepareLegacyRemotePresentations,
   type EvaluateInputDescriptors,
+  type PrepareLegacyRemotePresentations,
 } from "./07-evaluate-input-descriptor";
 import {
   evaluateDcqlQuery,
+  prepareRemotePresentations,
   type EvaluateDcqlQuery,
+  type PrepareRemotePresentations,
 } from "./07-evaluate-dcql-query";
 import {
-  prepareRemotePresentations,
   sendAuthorizationResponse,
   type SendAuthorizationResponse,
+  sendLegacyAuthorizationResponse,
+  type SendLegacyAuthorizationResponse,
   sendAuthorizationErrorResponse,
   type SendAuthorizationErrorResponse,
-  sendAuthorizationResponseDcql,
-  type SendAuthorizationResponseDcql,
 } from "./08-send-authorization-response";
 import * as Errors from "./errors";
-import type { PrepareRemotePresentations } from "./types";
 
 export {
   startFlowFromQR,
   evaluateRelyingPartyTrust,
   getRequestObject,
-  fetchJwksFromRequestObject,
-  fetchJwksFromConfig,
-  verifyRequestObjectSignature,
+  getJwksFromConfig,
+  verifyRequestObject,
   fetchPresentDefinition,
   evaluateInputDescriptors,
   evaluateDcqlQuery,
+  prepareLegacyRemotePresentations,
+  prepareRemotePresentations,
   sendAuthorizationResponse,
+  sendLegacyAuthorizationResponse,
   sendAuthorizationErrorResponse,
-  sendAuthorizationResponseDcql,
-  prepareRemotePresentations,
   Errors,
 };
 export type {
@@ -61,12 +59,13 @@ export type {
   EvaluateRelyingPartyTrust,
   GetRequestObject,
   FetchJwks,
-  VerifyRequestObjectSignature,
+  VerifyRequestObject,
   FetchPresentationDefinition,
   EvaluateInputDescriptors,
+  EvaluateDcqlQuery,
+  PrepareLegacyRemotePresentations,
   PrepareRemotePresentations,
   SendAuthorizationResponse,
-  SendAuthorizationResponseDcql,
+  SendLegacyAuthorizationResponse,
   SendAuthorizationErrorResponse,
-  EvaluateDcqlQuery,
 };

package/src/credential/presentation/types.ts

@@ -1,58 +1,38 @@
 import type { CryptoContext } from "@pagopa/io-react-native-jwt";
 import { UnixTime } from "../../sd-jwt/types";
 import * as z from "zod";
-import { JWKS } from "../../utils/jwk";
-
-export type EvaluatedDisclosure = {
-  namespace?: string;
-  name: string;
-  value: unknown;
-};
-
-export type CredentialFormat =
-  | {
-      format: "vc+sd-jwt";
-    }
-  | {
-      format: "mso_mdoc";
-      doctype: string;
-    };
 
 /**
  * A pair that associate a tokenized Verified Credential with the claims presented or requested to present.
  */
 export type Presentation = [
   /* verified credential token */ string,
-  /* claims */ EvaluatedDisclosure[],
+  /* claims */ string[],
   /* the context for the key associated to the credential */ CryptoContext,
 ];
 
 /**
  * A object that associate the information needed to multiple remote presentation
+ * Used with `presentation_definition`
+ * @deprecated Use `RemotePresentation`
  */
-export type RemotePresentation = {
-  presentations: {
-    requestedClaims: string[];
-    credentialId: string;
-    format: string;
-    vpToken: string;
-  }[];
-  generatedNonce?: string /* nonce generated by app, used in mdoc presentation */;
+export type LegacyRemotePresentation = {
+  requestedClaims: string[];
+  inputDescriptor: InputDescriptor;
+  format: string;
+  vpToken: string;
 };
 
-export type PrepareRemotePresentations = (
-  credentials: ({
-    requestedClaims: EvaluatedDisclosure[];
-    credentialInputId: string; // The credential ID descriptor in the presentation definition or DCQL query
-    credential: string;
-    keyTag: string;
-  } & CredentialFormat)[],
-  authRequestObject: {
-    nonce: string;
-    clientId: string;
-    responseUri: string;
-  }
-) => Promise<RemotePresentation>;
+/**
+ * A object that associate the information needed to multiple remote presentation
+ * Used with DCQL queries
+ */
+export type RemotePresentation = {
+  requestedClaims: string[];
+  credentialId: string;
+  format: string;
+  vpToken: string;
+};
 
 const Fields = z.object({
   path: z.array(z.string().min(1)), // Array of JSONPath string expressions
@@ -111,57 +91,80 @@ export const PresentationDefinition = z.object({
 
 export type RequestObject = z.infer<typeof RequestObject>;
 export const RequestObject = z.object({
-  iss: z.string().optional(), //optional by RFC 7519, mandatory for Potential
-  iat: UnixTime.optional(),
-  exp: UnixTime.optional(),
+  iss: z.string(),
+  iat: UnixTime,
+  exp: UnixTime,
   state: z.string().optional(),
   nonce: z.string(),
   response_uri: z.string(),
+  response_uri_method: z.string().optional(),
   response_type: z.literal("vp_token"),
-  response_mode: z.enum(["direct_post.jwt", "direct_post"]),
+  response_mode: z.literal("direct_post.jwt"),
   client_id: z.string(),
-  client_id_scheme: z.string().optional(), // previous z.literal("entity_id"),
-  client_metadata: z
-    .object({
-      authorization_encrypted_response_alg: z.string().optional(),
-      authorization_encrypted_response_enc: z.string().optional(),
-      jwks_uri: z.string().optional(),
-      jwks: JWKS.optional(),
-    })
-    .optional(), // previous z.literal("entity_id"),
   dcql_query: z.record(z.string(), z.any()).optional(), // Validation happens within the `dcql` library, no need to duplicate it here
   scope: z.string().optional(),
   presentation_definition: PresentationDefinition.optional(),
 });
 
+export type WalletMetadata = z.infer<typeof WalletMetadata>;
+export const WalletMetadata = z.object({
+  presentation_definition_uri_supported: z.boolean().optional(),
+  client_id_schemes_supported: z.array(z.string()).optional(),
+  request_object_signing_alg_values_supported: z.array(z.string()).optional(),
+  vp_formats_supported: z.record(
+    z.string(), // TODO [SIW-2110]: use explicit credential format?
+    z.object({
+      "sd-jwt_alg_values": z.array(z.string()).optional(), // alg_values_supported?
+    })
+  ),
+  // TODO [SIW-2110]: include other metadata?
+});
+
+/**
+ * Wallet capabilities that must be submitted to get the Request Object
+ * via POST request when the `request_uri_method` is `post`.
+ */
+export type RequestObjectWalletCapabilities = z.infer<
+  typeof RequestObjectWalletCapabilities
+>;
+export const RequestObjectWalletCapabilities = z.object({
+  wallet_metadata: WalletMetadata,
+  wallet_nonce: z.string().optional(),
+});
+
 /**
  * This type models the possible error responses the OpenID4VP protocol allows for a presentation of a credential.
- * See https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#name-error-response for more information.
+ * When the Wallet encounters one of these errors, it will notify the Relying Party through the `response_uri` endpoint.
+ * See https://italia.github.io/eid-wallet-it-docs/versione-corrente/en/pid-eaa-presentation.html#authorization-response-errors for more information.
  */
 export type ErrorResponse = z.infer<typeof ErrorResponse>;
 export const ErrorResponse = z.enum([
-  "invalid_scope",
+  "invalid_request_object",
+  "invalid_request_uri",
+  "vp_formats_not_supported",
   "invalid_request",
-  "invalid_client",
   "access_denied",
+  "invalid_client",
 ]);
 
 /**
- * Type that defines the possible payload formats accepted by {@link buildDirectPostJwtBody} and {@link buildDirectPostBody}
+ * @deprecated Use `DirectAuthorizationBodyPayload`
+ */
+const LegacyDirectAuthorizationBodyPayload = z.object({
+  vp_token: z.union([z.string(), z.array(z.string())]).optional(),
+  presentation_submission: z.record(z.string(), z.unknown()),
+});
+
+/**
+ * Authorization Response payload sent to the Relying Party.
  */
 export type DirectAuthorizationBodyPayload = z.infer<
   typeof DirectAuthorizationBodyPayload
 >;
 export const DirectAuthorizationBodyPayload = z.union([
   z.object({
-    vp_token: z
-      .union([
-        z.string(), // Presentation Definition with one credential
-        z.array(z.string()), // Presentation Definition with more credential
-        z.record(z.string(), z.string()), // DCQL query
-      ])
-      .optional(),
-    presentation_submission: z.record(z.string(), z.unknown()).optional(),
+    vp_token: z.record(z.string(), z.string()),
   }),
-  z.object({ error: ErrorResponse }),
+  z.object({ error: ErrorResponse, error_description: z.string() }),
+  LegacyDirectAuthorizationBodyPayload,
 ]);

package/src/credential/status/01-start-flow.ts

@@ -0,0 +1,9 @@
+/**
+ * WARNING: This is the first function to be called in the status attestation flow. The next function to be called is {@link statusAttestation}.
+ * The beginning of the status attestation flow.
+ *
+ * @returns The url of the credential issuer to be used in the next function.
+ */
+export type StartFlow = () => {
+  issuerUrl: string;
+};

package/src/credential/status/02-status-attestation.ts

@@ -0,0 +1,105 @@
+import {
+  getCredentialHashWithouDiscloures,
+  hasStatusOrThrow,
+  type Out,
+} from "../../utils/misc";
+import type { EvaluateIssuerTrust, ObtainCredential } from "../issuance";
+import { type CryptoContext, SignJWT } from "@pagopa/io-react-native-jwt";
+import { v4 as uuidv4 } from "uuid";
+import { StatusAttestationResponse } from "./types";
+import {
+  IssuerResponseError,
+  IssuerResponseErrorCodes,
+  ResponseErrorBuilder,
+  UnexpectedStatusCodeError,
+} from "../../utils/errors";
+import { LogLevel, Logger } from "../../utils/logging";
+
+export type StatusAttestation = (
+  issuerConf: Out<EvaluateIssuerTrust>["issuerConf"],
+  credential: Out<ObtainCredential>["credential"],
+  credentialCryptoContext: CryptoContext,
+  appFetch?: GlobalFetch["fetch"]
+) => Promise<{
+  statusAttestation: StatusAttestationResponse["status_attestation"];
+}>;
+
+/**
+ * WARNING: This function must be called after {@link startFlow}.
+ * Verify the status of the credential attestation.
+ * @param issuerConf - The issuer's configuration
+ * @param credential - The credential to be verified
+ * @param credentialCryptoContext - The credential's crypto context
+ * @param context.appFetch (optional) fetch api implementation. Default: built-in fetch
+ * @throws {IssuerResponseError} with a specific code for more context
+ * @returns The credential status attestation
+ */
+export const statusAttestation: StatusAttestation = async (
+  issuerConf,
+  credential,
+  credentialCryptoContext,
+  appFetch: GlobalFetch["fetch"] = fetch
+) => {
+  const jwk = await credentialCryptoContext.getPublicKey();
+  const credentialHash = await getCredentialHashWithouDiscloures(credential);
+  const statusAttUrl =
+    issuerConf.openid_credential_issuer.status_attestation_endpoint;
+  const credentialPop = await new SignJWT(credentialCryptoContext)
+    .setPayload({
+      aud: statusAttUrl,
+      jti: uuidv4().toString(),
+      credential_hash: credentialHash,
+      credential_hash_alg: "S256",
+    })
+    .setProtectedHeader({
+      alg: "ES256",
+      typ: "status-attestation-request+jwt",
+      kid: jwk.kid,
+    })
+    .setIssuedAt()
+    .setExpirationTime("5m")
+    .sign();
+
+  const body = {
+    credential_pop: credentialPop,
+  };
+
+  Logger.log(LogLevel.DEBUG, `Credential pop: ${credentialPop}`);
+
+  const result = await appFetch(statusAttUrl, {
+    method: "POST",
+    headers: {
+      "Content-Type": "application/json",
+    },
+    body: JSON.stringify(body),
+  })
+    .then(hasStatusOrThrow(201))
+    .then((raw) => raw.json())
+    .then((json) => StatusAttestationResponse.parse(json))
+    .catch(handleStatusAttestationError);
+
+  return { statusAttestation: result.status_attestation };
+};
+
+/**
+ * Handle the status attestation error by mapping it to a custom exception.
+ * If the error is not an instance of {@link UnexpectedStatusCodeError}, it is thrown as is.
+ * @param e - The error to be handled
+ * @throws {IssuerResponseError} with a specific code for more context
+ */
+const handleStatusAttestationError = (e: unknown) => {
+  if (!(e instanceof UnexpectedStatusCodeError)) {
+    throw e;
+  }
+
+  throw new ResponseErrorBuilder(IssuerResponseError)
+    .handle(404, {
+      code: IssuerResponseErrorCodes.CredentialInvalidStatus,
+      message: "Invalid status found for the given credential",
+    })
+    .handle("*", {
+      code: IssuerResponseErrorCodes.StatusAttestationRequestFailed,
+      message: `Unable to obtain the status attestation for the given credential`,
+    })
+    .buildFrom(e);
+};